datatracker.ietf.org
Sign in
Version 5.12.0, 2015-02-26
Report a bug

The Secure Shell (SSH) Authentication Protocol
RFC 4252

Document type: RFC - Proposed Standard (January 2006; Errata)
Document stream: IETF
Last updated: 2013-03-02
Other versions: plain text, pdf, html

IETF State: WG Document
Consensus: Unknown
Document shepherd: No shepherd assigned

IESG State: RFC 4252 (Proposed Standard)
Responsible AD: Russ Housley
Send notices to: <sommerfeld@sun.com>

Network Working Group                                          T. Ylonen
Request for Comments: 4252              SSH Communications Security Corp
Category: Standards Track                                C. Lonvick, Ed.
                                                     Cisco Systems, Inc.
                                                            January 2006

             The Secure Shell (SSH) Authentication Protocol

Status of This Memo

   This document specifies an Internet standards track protocol for the
   Internet community, and requests discussion and suggestions for
   improvements.  Please refer to the current edition of the "Internet
   Official Protocol Standards" (STD 1) for the standardization state
   and status of this protocol.  Distribution of this memo is unlimited.

Copyright Notice

   Copyright (C) The Internet Society (2006).

Abstract

   The Secure Shell Protocol (SSH) is a protocol for secure remote login
   and other secure network services over an insecure network.  This
   document describes the SSH authentication protocol framework and
   public key, password, and host-based client authentication methods.
   Additional authentication methods are described in separate
   documents.  The SSH authentication protocol runs on top of the SSH
   transport layer protocol and provides a single authenticated tunnel
   for the SSH connection protocol.

Ylonen & Lonvick            Standards Track                     [Page 1]
RFC 4252              SSH Authentication Protocol           January 2006

Table of Contents

   1. Introduction ....................................................2
   2. Contributors ....................................................3
   3. Conventions Used in This Document ...............................3
   4. The Authentication Protocol Framework ...........................4
   5. Authentication Requests .........................................4
      5.1. Responses to Authentication Requests .......................5
      5.2. The "none" Authentication Request ..........................7
      5.3. Completion of User Authentication ..........................7
      5.4. Banner Message .............................................7
   6. Authentication Protocol Message Numbers .........................8
   7. Public Key Authentication Method: "publickey" ...................8
   8. Password Authentication Method: "password" .....................10
   9. Host-Based Authentication: "hostbased" .........................12
   10. IANA Considerations ...........................................14
   11. Security Considerations .......................................14
   12. References ....................................................15
      12.1. Normative References .....................................15
      12.2. Informative References ...................................15
   Authors' Addresses ................................................16
   Trademark Notice ..................................................16

1.  Introduction

   The SSH authentication protocol is a general-purpose user
   authentication protocol.  It is intended to be run over the SSH
   transport layer protocol [SSH-TRANS].  This protocol assumes that the
   underlying protocols provide integrity and confidentiality
   protection.

   This document should be read only after reading the SSH architecture
   document [SSH-ARCH].  This document freely uses terminology and
   notation from the architecture document without reference or further
   explanation.

   The 'service name' for this protocol is "ssh-userauth".

   When this protocol starts, it receives the session identifier from
   the lower-level protocol (this is the exchange hash H from the first
   key exchange).  The session identifier uniquely identifies this
   session and is suitable for signing in order to prove ownership of a
   private key.  This protocol also needs to know whether the lower-
   level protocol provides confidentiality protection.

Ylonen & Lonvick            Standards Track                     [Page 2]
RFC 4252              SSH Authentication Protocol           January 2006

2.  Contributors

   The major original contributors of this set of documents have been:
   Tatu Ylonen, Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH
   Communications Security Corp), and Markku-Juhani O. Saarinen
   (University of Jyvaskyla).  Darren Moffat was the original editor of
   this set of documents and also made very substantial contributions.

   Many people contributed to the development of this document over the
   years.  People who should be acknowledged include Mats Andersson, Ben

[include full document text]