The Secure Shell (SSH) Public Key File Format
RFC 4716
Network Working Group J. Galbraith
Request for Comments: 4716 VanDyke Software
Category: Informational R. Thayer
Canola & Jones
November 2006
The Secure Shell (SSH) Public Key File Format
Status of This Memo
This memo provides information for the Internet community. It does
not specify an Internet standard of any kind. Distribution of this
memo is unlimited.
Copyright Notice
Copyright (C) The IETF Trust (2006).
Abstract
This document formally documents an existing public key file format
in use for exchanging public keys between different Secure Shell
(SSH) implementations.
In addition, this document defines a standard textual representation
for SSH public key fingerprints.
Table of Contents
1. Introduction ....................................................2
2. Conventions Used in This Document ...............................2
3. Key File Format .................................................2
3.1. Line Termination Characters ................................2
3.2. Begin and End Markers ......................................3
3.3. Key File Header ............................................3
3.3.1. Subject Header ......................................3
3.3.2. Comment Header ......................................4
3.3.3. Private Use Headers .................................4
3.4. Public Key File Body .......................................4
3.5. Differences with RFC 1421 PEM Formats ......................4
3.6. Examples ...................................................5
4. Public Key Fingerprints .........................................6
5. IANA Considerations .............................................6
6. Security Considerations .........................................7
7. References ......................................................8
7.1. Normative References .......................................8
7.2. Informative References .....................................8
Galbraith & Thayer Informational [Page 1]
RFC 4716 SSH Public Key File Format November 2006
1. Introduction
The SSH protocol supports the use of public/private key pairs in
order to perform authentication based on public key cryptography.
However, in order to use public key authentication in the SSH
protocol, public keys must first be exchanged between client and
server.
This document formally describes an existing public key file format
that can be used with any of the common existing file transfer
mechanisms in order to exchange public keys.
The SSH protocol also uses public/private key pairs to authenticate
the server. In this scenario, it is important to verify that the
public key provided by the server is indeed the server's public key.
This document describes a mechanism for creating a short text string
that uniquely represents a particular public key, called
fingerprinting.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this
document are to be interpreted as described in [RFC2119].
3. Key File Format
In order to implement public key authentication, SSH implementations
must share public key files between the client and the server in
order to interoperate.
A key file is a text file, containing a sequence of lines. Each line
in the file MUST NOT be longer than 72 8-bit bytes excluding line
termination characters.
3.1. Line Termination Characters
Implementations SHOULD generate public key files using their system's
local text file representation.
In the event that public key files are not transferred as text files,
implementations SHOULD be prepared to read files using any of the
common line termination sequence, <CR>, <LF>, or <CR><LF>.
Galbraith & Thayer Informational [Page 2]
RFC 4716 SSH Public Key File Format November 2006
3.2. Begin and End Markers
The first line of a conforming key file MUST be a begin marker, which
is the literal text:
---- BEGIN SSH2 PUBLIC KEY ----
The last line of a conforming key file MUST be an end marker, which
is the literal text:
---- END SSH2 PUBLIC KEY ----
3.3. Key File Header
The key file header section consists of multiple RFC822-style header
fields. Each field is a line of the following format:
Header-tag ':' ' ' Header-value
The Header-tag MUST NOT be more than 64 8-bit bytes and is case-
insensitive. The Header-value MUST NOT be more than 1024 8-bit
Show full document text