The Secure Shell (SSH) Authentication Protocol
RFC 4252
|
| Document |
Type |
|
RFC - Proposed Standard
(January 2006; Errata)
|
|
Last updated |
|
2015-10-14
|
|
Stream |
|
IETF
|
|
Formats |
|
plain text
pdf
htmlized
with errata
bibtex
|
| Stream |
WG state
|
|
WG Document
|
|
Document shepherd |
|
No shepherd assigned
|
| IESG |
IESG state |
|
RFC 4252 (Proposed Standard)
|
|
Consensus Boilerplate |
|
Unknown
|
|
Telechat date |
|
|
|
Responsible AD |
|
Russ Housley
|
|
Send notices to |
|
(None)
|
Network Working Group T. Ylonen
Request for Comments: 4252 SSH Communications Security Corp
Category: Standards Track C. Lonvick, Ed.
Cisco Systems, Inc.
January 2006
The Secure Shell (SSH) Authentication Protocol
Status of This Memo
This document specifies an Internet standards track protocol for the
Internet community, and requests discussion and suggestions for
improvements. Please refer to the current edition of the "Internet
Official Protocol Standards" (STD 1) for the standardization state
and status of this protocol. Distribution of this memo is unlimited.
Copyright Notice
Copyright (C) The Internet Society (2006).
Abstract
The Secure Shell Protocol (SSH) is a protocol for secure remote login
and other secure network services over an insecure network. This
document describes the SSH authentication protocol framework and
public key, password, and host-based client authentication methods.
Additional authentication methods are described in separate
documents. The SSH authentication protocol runs on top of the SSH
transport layer protocol and provides a single authenticated tunnel
for the SSH connection protocol.
Ylonen & Lonvick Standards Track [Page 1]
RFC 4252 SSH Authentication Protocol January 2006
Table of Contents
1. Introduction ....................................................2
2. Contributors ....................................................3
3. Conventions Used in This Document ...............................3
4. The Authentication Protocol Framework ...........................4
5. Authentication Requests .........................................4
5.1. Responses to Authentication Requests .......................5
5.2. The "none" Authentication Request ..........................7
5.3. Completion of User Authentication ..........................7
5.4. Banner Message .............................................7
6. Authentication Protocol Message Numbers .........................8
7. Public Key Authentication Method: "publickey" ...................8
8. Password Authentication Method: "password" .....................10
9. Host-Based Authentication: "hostbased" .........................12
10. IANA Considerations ...........................................14
11. Security Considerations .......................................14
12. References ....................................................15
12.1. Normative References .....................................15
12.2. Informative References ...................................15
Authors' Addresses ................................................16
Trademark Notice ..................................................16
1. Introduction
The SSH authentication protocol is a general-purpose user
authentication protocol. It is intended to be run over the SSH
transport layer protocol [SSH-TRANS]. This protocol assumes that the
underlying protocols provide integrity and confidentiality
protection.
This document should be read only after reading the SSH architecture
document [SSH-ARCH]. This document freely uses terminology and
notation from the architecture document without reference or further
explanation.
The 'service name' for this protocol is "ssh-userauth".
When this protocol starts, it receives the session identifier from
the lower-level protocol (this is the exchange hash H from the first
key exchange). The session identifier uniquely identifies this
session and is suitable for signing in order to prove ownership of a
private key. This protocol also needs to know whether the lower-
level protocol provides confidentiality protection.
Ylonen & Lonvick Standards Track [Page 2]
RFC 4252 SSH Authentication Protocol January 2006
2. Contributors
The major original contributors of this set of documents have been:
Tatu Ylonen, Tero Kivinen, Timo J. Rinne, Sami Lehtinen (all of SSH
Communications Security Corp), and Markku-Juhani O. Saarinen
(University of Jyvaskyla). Darren Moffat was the original editor of
this set of documents and also made very substantial contributions.
Many people contributed to the development of this document over the
years. People who should be acknowledged include Mats Andersson, Ben
Harris, Bill Sommerfeld, Brent McClure, Niels Moller, Damien Miller,
Derek Fawcus, Frank Cusack, Heikki Nousiainen, Jakob Schlyter, Jeff
Van Dyke, Jeffrey Altman, Jeffrey Hutzelman, Jon Bright, Joseph
Galbraith, Ken Hornstein, Markus Friedl, Martin Forssen, Nicolas
Williams, Niels Provos, Perry Metzger, Peter Gutmann, Simon
Show full document text