1This documents OpenSSH's deviations and extensions to the published SSH 2protocol. 3 4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5filexfer protocol described in: 6 7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8 9Newer versions of the draft will not be supported, though some features 10are individually implemented as extensions described below. 11 12The protocol used by OpenSSH's ssh-agent is described in the file 13PROTOCOL.agent 14 151. Transport protocol changes 16 171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 18 19This is a new transport-layer MAC method using the UMAC algorithm 20(rfc4418). This method is identical to the "umac-64" method documented 21in: 22 23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24 251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 26 27This transport-layer compression method uses the zlib compression 28algorithm (identical to the "zlib" method in rfc4253), but delays the 29start of compression until after authentication has completed. This 30avoids exposing compression code to attacks from unauthenticated users. 31 32The method is documented in: 33 34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35 361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com", 37 "ssh-dsa-cert-v01@openssh.com", 38 "ecdsa-sha2-nistp256-cert-v01@openssh.com", 39 "ecdsa-sha2-nistp384-cert-v01@openssh.com" and 40 "ecdsa-sha2-nistp521-cert-v01@openssh.com" 41 42OpenSSH introduces new public key algorithms to support certificate 43authentication for users and host keys. These methods are documented 44in the file PROTOCOL.certkeys 45 461.4. transport: Elliptic Curve cryptography 47 48OpenSSH supports ECC key exchange and public key authentication as 49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 51curve points encoded using point compression are NOT accepted or 52generated. 53 541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 55 56OpenSSH supports MAC algorithms, whose names contain "-etm", that 57perform the calculations in a different order to that defined in RFC 584253. These variants use the so-called "encrypt then MAC" ordering, 59calculating the MAC over the packet ciphertext rather than the 60plaintext. This ordering closes a security flaw in the SSH transport 61protocol, where decryption of unauthenticated ciphertext provided a 62"decryption oracle" that could, in conjunction with cipher flaws, reveal 63session plaintext. 64 65Specifically, the "-etm" MAC algorithms modify the transport protocol 66to calculate the MAC over the packet ciphertext and to send the packet 67length unencrypted. This is necessary for the transport to obtain the 68length of the packet and location of the MAC tag so that it may be 69verified without decrypting unauthenticated data. 70 71As such, the MAC covers: 72 73 mac = MAC(key, sequence_number || packet_length || encrypted_packet) 74 75where "packet_length" is encoded as a uint32 and "encrypted_packet" 76contains: 77 78 byte padding_length 79 byte[n1] payload; n1 = packet_length - padding_length - 1 80 byte[n2] random padding; n2 = padding_length 81 821.6 transport: AES-GCM 83 84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 85Because of problems with the specification of the key exchange 86the behaviour of OpenSSH differs from the RFC as follows: 87 88AES-GCM is only negotiated as the cipher algorithms 89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as 90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher 91the exchanged MAC algorithms are ignored and there doesn't have to be 92a matching MAC. 93 941.7 transport: chacha20-poly1305@openssh.com authenticated encryption 95 96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 97as described in PROTOCOL.chacha20poly1305. 98 991.8 transport: curve25519-sha256@libssh.org key exchange algorithm 100 101OpenSSH supports the use of ECDH in Curve25519 for key exchange as 102described at: 103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 104 105This is identical to curve25519-sha256 as later published in RFC8731. 106 1071.9 transport: ping facility 108 109OpenSSH implements a transport level ping message SSH2_MSG_PING 110and a corresponding SSH2_MSG_PONG reply. 111 112#define SSH2_MSG_PING 192 113#define SSH2_MSG_PONG 193 114 115The ping message is simply: 116 117 byte SSH_MSG_PING 118 string data 119 120The reply copies the data (which may be the empty string) from the 121ping: 122 123 byte SSH_MSG_PONG 124 string data 125 126Replies are sent in order. They are sent immediately except when rekeying 127is in progress, in which case they are queued until rekeying completes. 128 129The server advertises support for these messages using the 130SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message: 131 132 string "ping@openssh.com" 133 string "0" (version) 134 135The ping/reply message is implemented at the transport layer rather 136than as a named global or channel request to allow pings with very 137short packet lengths, which would not be possible with other 138approaches. 139 1401.10 transport: strict key exchange extension 141 142OpenSSH supports a number of transport-layer hardening measures under 143a "strict KEX" feature. This feature is signalled similarly to the 144RFC8308 ext-info feature: by including a additional algorithm in the 145initial SSH2_MSG_KEXINIT kex_algorithms field. The client may append 146"kex-strict-c-v00@openssh.com" to its kex_algorithms and the server 147may append "kex-strict-s-v00@openssh.com". These pseudo-algorithms 148are only valid in the initial SSH2_MSG_KEXINIT and MUST be ignored 149if they are present in subsequent SSH2_MSG_KEXINIT packets. 150 151When an endpoint that supports this extension observes this algorithm 152name in a peer's KEXINIT packet, it MUST make the following changes to 153the protocol: 154 155a) During initial KEX, terminate the connection if out-of-sequence 156 packet or any message that is not strictly required by KEX is 157 received. This includes terminating the connection if the first 158 packet received is not SSH2_MSG_KEXINIT. Unexpected packets for 159 the purpose of strict KEX include messages that are otherwise 160 valid at any time during the connection such as SSH2_MSG_DEBUG, 161 SSH2_MSG_IGNORE or SSH2_MSG_UNIMPLEMENTED. 162b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the 163 packet sequence number to zero. This behaviour persists for the 164 duration of the connection (i.e. not just the first 165 SSH2_MSG_NEWKEYS). 166 1671.11 transport: SSH2_MSG_EXT_INFO during user authentication 168 169This protocol extension allows the SSH2_MSG_EXT_INFO to be sent 170during user authentication. RFC8308 does allow a second 171SSH2_MSG_EXT_INFO notification, but it may only be sent at the end 172of user authentication and this is too late to signal per-user 173server signature algorithms. 174 175Support for receiving the SSH2_MSG_EXT_INFO message during user 176authentication is signalled by the client including a 177"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO 178set after the SSH2_MSG_NEWKEYS message. 179 180A server that supports this extension MAY send a second 181SSH2_MSG_EXT_INFO message any time after the client's first 182SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails. 183The client SHOULD be prepared to update the server-sig-algs that 184it received during an earlier SSH2_MSG_EXT_INFO with the later one. 185 1862. Connection protocol changes 187 1882.1. connection: Channel write close extension "eow@openssh.com" 189 190The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 191message to allow an endpoint to signal its peer that it will send no 192more data over a channel. Unfortunately, there is no symmetric way for 193an endpoint to request that its peer should cease sending data to it 194while still keeping the channel open for the endpoint to send data to 195the peer. 196 197This is desirable, since it saves the transmission of data that would 198otherwise need to be discarded and it allows an endpoint to signal local 199processes of the condition, e.g. by closing the corresponding file 200descriptor. 201 202OpenSSH implements a channel extension message to perform this 203signalling: "eow@openssh.com" (End Of Write). This message is sent by 204an endpoint when the local output of a session channel is closed or 205experiences a write error. The message is formatted as follows: 206 207 byte SSH_MSG_CHANNEL_REQUEST 208 uint32 recipient channel 209 string "eow@openssh.com" 210 boolean FALSE 211 212On receiving this message, the peer SHOULD cease sending data of 213the channel and MAY signal the process from which the channel data 214originates (e.g. by closing its read file descriptor). 215 216As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 217remain open after a "eow@openssh.com" has been sent and more data may 218still be sent in the other direction. This message does not consume 219window space and may be sent even if no window space is available. 220 221NB. due to certain broken SSH implementations aborting upon receipt 222of this message (in contravention of RFC4254 section 5.4), this 223message is only sent to OpenSSH peers (identified by banner). 224Other SSH implementations may be listed to receive this message 225upon request. 226 2272.2. connection: disallow additional sessions extension 228 "no-more-sessions@openssh.com" 229 230Most SSH connections will only ever request a single session, but a 231attacker may abuse a running ssh client to surreptitiously open 232additional sessions under their control. OpenSSH provides a global 233request "no-more-sessions@openssh.com" to mitigate this attack. 234 235When an OpenSSH client expects that it will never open another session 236(i.e. it has been started with connection multiplexing disabled), it 237will send the following global request: 238 239 byte SSH_MSG_GLOBAL_REQUEST 240 string "no-more-sessions@openssh.com" 241 char want-reply 242 243On receipt of such a message, an OpenSSH server will refuse to open 244future channels of type "session" and instead immediately abort the 245connection. 246 247Note that this is not a general defence against compromised clients 248(that is impossible), but it thwarts a simple attack. 249 250NB. due to certain broken SSH implementations aborting upon receipt 251of this message, the no-more-sessions request is only sent to OpenSSH 252servers (identified by banner). Other SSH implementations may be 253listed to receive this message upon request. 254 2552.3. connection: Tunnel forward extension "tun@openssh.com" 256 257OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 258channel type. This channel type supports forwarding of network packets 259with datagram boundaries intact between endpoints equipped with 260interfaces like the BSD tun(4) device. Tunnel forwarding channels are 261requested by the client with the following packet: 262 263 byte SSH_MSG_CHANNEL_OPEN 264 string "tun@openssh.com" 265 uint32 sender channel 266 uint32 initial window size 267 uint32 maximum packet size 268 uint32 tunnel mode 269 uint32 remote unit number 270 271The "tunnel mode" parameter specifies whether the tunnel should forward 272layer 2 frames or layer 3 packets. It may take one of the following values: 273 274 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 275 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 276 277The "tunnel unit number" specifies the remote interface number, or may 278be 0x7fffffff to allow the server to automatically choose an interface. A 279server that is not willing to open a client-specified unit should refuse 280the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 281open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 282 283Once established the client and server may exchange packet or frames 284over the tunnel channel by encapsulating them in SSH protocol strings 285and sending them as channel data. This ensures that packet boundaries 286are kept intact. Specifically, packets are transmitted using normal 287SSH_MSG_CHANNEL_DATA packets: 288 289 byte SSH_MSG_CHANNEL_DATA 290 uint32 recipient channel 291 string data 292 293The contents of the "data" field for layer 3 packets is: 294 295 uint32 packet length 296 uint32 address family 297 byte[packet length - 4] packet data 298 299The "address family" field identifies the type of packet in the message. 300It may be one of: 301 302 SSH_TUN_AF_INET 2 /* IPv4 */ 303 SSH_TUN_AF_INET6 24 /* IPv6 */ 304 305The "packet data" field consists of the IPv4/IPv6 datagram itself 306without any link layer header. 307 308The contents of the "data" field for layer 2 packets is: 309 310 uint32 packet length 311 byte[packet length] frame 312 313The "frame" field contains an IEEE 802.3 Ethernet frame, including 314header. 315 3162.4. connection: Unix domain socket forwarding 317 318OpenSSH supports local and remote Unix domain socket forwarding 319using the "streamlocal" extension. Forwarding is initiated as per 320TCP sockets but with a single path instead of a host and port. 321 322Similar to direct-tcpip, direct-streamlocal is sent by the client 323to request that the server make a connection to a Unix domain socket. 324 325 byte SSH_MSG_CHANNEL_OPEN 326 string "direct-streamlocal@openssh.com" 327 uint32 sender channel 328 uint32 initial window size 329 uint32 maximum packet size 330 string socket path 331 string reserved 332 uint32 reserved 333 334Similar to forwarded-tcpip, forwarded-streamlocal is sent by the 335server when the client has previously send the server a streamlocal-forward 336GLOBAL_REQUEST. 337 338 byte SSH_MSG_CHANNEL_OPEN 339 string "forwarded-streamlocal@openssh.com" 340 uint32 sender channel 341 uint32 initial window size 342 uint32 maximum packet size 343 string socket path 344 string reserved for future use 345 346The reserved field is not currently defined and is ignored on the 347remote end. It is intended to be used in the future to pass 348information about the socket file, such as ownership and mode. 349The client currently sends the empty string for this field. 350 351Similar to tcpip-forward, streamlocal-forward is sent by the client 352to request remote forwarding of a Unix domain socket. 353 354 byte SSH2_MSG_GLOBAL_REQUEST 355 string "streamlocal-forward@openssh.com" 356 boolean TRUE 357 string socket path 358 359Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent 360by the client cancel the forwarding of a Unix domain socket. 361 362 byte SSH2_MSG_GLOBAL_REQUEST 363 string "cancel-streamlocal-forward@openssh.com" 364 boolean FALSE 365 string socket path 366 3672.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" 368and "hostkeys-prove-00@openssh.com" 369 370OpenSSH supports a protocol extension allowing a server to inform 371a client of all its protocol v.2 host keys after user-authentication 372has completed. 373 374 byte SSH_MSG_GLOBAL_REQUEST 375 string "hostkeys-00@openssh.com" 376 char 0 /* want-reply */ 377 string[] hostkeys 378 379Upon receiving this message, a client should check which of the 380supplied host keys are present in known_hosts. 381 382Note that the server may send key types that the client does not 383support. The client should disregard such keys if they are received. 384 385If the client identifies any keys that are not present for the host, 386it should send a "hostkeys-prove@openssh.com" message to request the 387server prove ownership of the private half of the key. 388 389 byte SSH_MSG_GLOBAL_REQUEST 390 string "hostkeys-prove-00@openssh.com" 391 char 1 /* want-reply */ 392 string[] hostkeys 393 394When a server receives this message, it should generate a signature 395using each requested key over the following: 396 397 string "hostkeys-prove-00@openssh.com" 398 string session identifier 399 string hostkey 400 401These signatures should be included in the reply, in the order matching 402the hostkeys in the request: 403 404 byte SSH_MSG_REQUEST_SUCCESS 405 string[] signatures 406 407When the client receives this reply (and not a failure), it should 408validate the signatures and may update its known_hosts file, adding keys 409that it has not seen before and deleting keys for the server host that 410are no longer offered. 411 412These extensions let a client learn key types that it had not previously 413encountered, thereby allowing it to potentially upgrade from weaker 414key algorithms to better ones. It also supports graceful key rotation: 415a server may offer multiple keys of the same type for a period (to 416give clients an opportunity to learn them using this extension) before 417removing the deprecated key from those offered. 418 4192.6. connection: SIGINFO support for "signal" channel request 420 421The SSH channels protocol (RFC4254 section 6.9) supports sending a 422signal to a session attached to a channel. OpenSSH supports one 423extension signal "INFO@openssh.com" that allows sending SIGINFO on 424BSD-derived systems. 425 4263. Authentication protocol changes 427 4283.1. Host-bound public key authentication 429 430This is trivial change to the traditional "publickey" authentication 431method. The authentication request is identical to the original method 432but for the name and one additional field: 433 434 byte SSH2_MSG_USERAUTH_REQUEST 435 string username 436 string "ssh-connection" 437 string "publickey-hostbound-v00@openssh.com" 438 bool has_signature 439 string pkalg 440 string public key 441 string server host key 442 443Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in 444the signed data, this ensures that a binding between the destination 445user, the server identity and the session identifier is visible to the 446signer. OpenSSH uses this binding via signed data to implement per-key 447restrictions in ssh-agent. 448 449A server may advertise this method using the SSH2_MSG_EXT_INFO 450mechanism (RFC8308), with the following message: 451 452 string "publickey-hostbound@openssh.com" 453 string "0" (version) 454 455Clients should prefer host-bound authentication when advertised by 456server. 457 4584. SFTP protocol changes 459 4604.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 461 462When OpenSSH's sftp-server was implemented, the order of the arguments 463to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 464the reversal was not noticed until the server was widely deployed. Since 465fixing this to follow the specification would cause incompatibility, the 466current order was retained. For correct operation, clients should send 467SSH_FXP_SYMLINK as follows: 468 469 uint32 id 470 string targetpath 471 string linkpath 472 4734.2. sftp: Server extension announcement in SSH_FXP_VERSION 474 475OpenSSH's sftp-server lists the extensions it supports using the 476standard extension announcement mechanism in the SSH_FXP_VERSION server 477hello packet: 478 479 uint32 3 /* protocol version */ 480 string ext1-name 481 string ext1-version 482 string ext2-name 483 string ext2-version 484 ... 485 string extN-name 486 string extN-version 487 488Each extension reports its integer version number as an ASCII encoded 489string, e.g. "1". The version will be incremented if the extension is 490ever changed in an incompatible way. The server MAY advertise the same 491extension with multiple versions (though this is unlikely). Clients MUST 492check the version number before attempting to use the extension. 493 4944.3. sftp: Extension request "posix-rename@openssh.com" 495 496This operation provides a rename operation with POSIX semantics, which 497are different to those provided by the standard SSH_FXP_RENAME in 498draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 499SSH_FXP_EXTENDED request with the following format: 500 501 uint32 id 502 string "posix-rename@openssh.com" 503 string oldpath 504 string newpath 505 506On receiving this request the server will perform the POSIX operation 507rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 508This extension is advertised in the SSH_FXP_VERSION hello with version 509"1". 510 5114.4. sftp: Extension requests "statvfs@openssh.com" and 512 "fstatvfs@openssh.com" 513 514These requests correspond to the statvfs and fstatvfs POSIX system 515interfaces. The "statvfs@openssh.com" request operates on an explicit 516pathname, and is formatted as follows: 517 518 uint32 id 519 string "statvfs@openssh.com" 520 string path 521 522The "fstatvfs@openssh.com" operates on an open file handle: 523 524 uint32 id 525 string "fstatvfs@openssh.com" 526 string handle 527 528These requests return a SSH_FXP_STATUS reply on failure. On success they 529return the following SSH_FXP_EXTENDED_REPLY reply: 530 531 uint32 id 532 uint64 f_bsize /* file system block size */ 533 uint64 f_frsize /* fundamental fs block size */ 534 uint64 f_blocks /* number of blocks (unit f_frsize) */ 535 uint64 f_bfree /* free blocks in file system */ 536 uint64 f_bavail /* free blocks for non-root */ 537 uint64 f_files /* total file inodes */ 538 uint64 f_ffree /* free file inodes */ 539 uint64 f_favail /* free file inodes for to non-root */ 540 uint64 f_fsid /* file system id */ 541 uint64 f_flag /* bit mask of f_flag values */ 542 uint64 f_namemax /* maximum filename length */ 543 544The values of the f_flag bitmask are as follows: 545 546 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 547 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 548 549Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 550advertised in the SSH_FXP_VERSION hello with version "2". 551 5524.5. sftp: Extension request "hardlink@openssh.com" 553 554This request is for creating a hard link to a regular file. This 555request is implemented as a SSH_FXP_EXTENDED request with the 556following format: 557 558 uint32 id 559 string "hardlink@openssh.com" 560 string oldpath 561 string newpath 562 563On receiving this request the server will perform the operation 564link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 565This extension is advertised in the SSH_FXP_VERSION hello with version 566"1". 567 5684.6. sftp: Extension request "fsync@openssh.com" 569 570This request asks the server to call fsync(2) on an open file handle. 571 572 uint32 id 573 string "fsync@openssh.com" 574 string handle 575 576On receiving this request, a server will call fsync(handle_fd) and will 577respond with a SSH_FXP_STATUS message. 578 579This extension is advertised in the SSH_FXP_VERSION hello with version 580"1". 581 5824.7. sftp: Extension request "lsetstat@openssh.com" 583 584This request is like the "setstat" command, but sets file attributes on 585symlinks. It is implemented as a SSH_FXP_EXTENDED request with the 586following format: 587 588 uint32 id 589 string "lsetstat@openssh.com" 590 string path 591 ATTRS attrs 592 593See the "setstat" command for more details. 594 595This extension is advertised in the SSH_FXP_VERSION hello with version 596"1". 597 5984.8. sftp: Extension request "limits@openssh.com" 599 600This request is used to determine various limits the server might impose. 601Clients should not attempt to exceed these limits as the server might sever 602the connection immediately. 603 604 uint32 id 605 string "limits@openssh.com" 606 607The server will respond with a SSH_FXP_EXTENDED_REPLY reply: 608 609 uint32 id 610 uint64 max-packet-length 611 uint64 max-read-length 612 uint64 max-write-length 613 uint64 max-open-handles 614 615The 'max-packet-length' applies to the total number of bytes in a 616single SFTP packet. Servers SHOULD set this at least to 34000. 617 618The 'max-read-length' is the largest length in a SSH_FXP_READ packet. 619Even if the client requests a larger size, servers will usually respond 620with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to 62132768. 622 623The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet 624the server will accept. Servers SHOULD set this at least to 32768. 625 626The 'max-open-handles' is the maximum number of active handles that the 627server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR 628packets). Servers MAY count internal file handles against this limit 629(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to 630open this many handles in practice. 631 632If the server doesn't enforce a specific limit, then the field may be 633set to 0. This implies the server relies on the OS to enforce limits 634(e.g. available memory or file handles), and such limits might be 635dynamic. The client SHOULD take care to not try to exceed reasonable 636limits. 637 638This extension is advertised in the SSH_FXP_VERSION hello with version 639"1". 640 6414.9. sftp: Extension request "expand-path@openssh.com" 642 643This request supports canonicalisation of relative paths and 644those that need tilde-expansion, i.e. "~", "~/..." and "~user/..." 645These paths are expanded using shell-like rules and the resultant 646path is canonicalised similarly to SSH2_FXP_REALPATH. 647 648It is implemented as a SSH_FXP_EXTENDED request with the following 649format: 650 651 uint32 id 652 string "expand-path@openssh.com" 653 string path 654 655Its reply is the same format as that of SSH2_FXP_REALPATH. 656 657This extension is advertised in the SSH_FXP_VERSION hello with version 658"1". 659 6604.10. sftp: Extension request "copy-data" 661 662This request asks the server to copy data from one open file handle and 663write it to a different open file handle. This avoids needing to transfer 664the data across the network twice (a download followed by an upload). 665 666 byte SSH_FXP_EXTENDED 667 uint32 id 668 string "copy-data" 669 string read-from-handle 670 uint64 read-from-offset 671 uint64 read-data-length 672 string write-to-handle 673 uint64 write-to-offset 674 675The server will copy read-data-length bytes starting from 676read-from-offset from the read-from-handle and write them to 677write-to-handle starting from write-to-offset, and then respond with a 678SSH_FXP_STATUS message. 679 680It's equivalent to issuing a series of SSH_FXP_READ requests on 681read-from-handle and a series of requests of SSH_FXP_WRITE on 682write-to-handle. 683 684If read-from-handle and write-to-handle are the same, the server will 685fail the request and respond with a SSH_FX_INVALID_PARAMETER message. 686 687If read-data-length is 0, then the server will read data from the 688read-from-handle until EOF is reached. 689 690This extension is advertised in the SSH_FXP_VERSION hello with version 691"1". 692 693This request is identical to the "copy-data" request documented in: 694 695https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7 696 6974.11. sftp: Extension request "home-directory" 698 699This request asks the server to expand the specified user's home directory. 700An empty username implies the current user. This can be used by the client 701to expand ~/ type paths locally. 702 703 byte SSH_FXP_EXTENDED 704 uint32 id 705 string "home-directory" 706 string username 707 708This extension is advertised in the SSH_FXP_VERSION hello with version 709"1". 710 711This provides similar information as the "expand-path@openssh.com" extension. 712 713This request is identical to the "home-directory" request documented in: 714 715https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5 716 7174.12. sftp: Extension request "users-groups-by-id@openssh.com" 718 719This request asks the server to return user and/or group names that 720correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT 721request). This may be used by the client to provide usernames in 722directory listings. 723 724 byte SSH_FXP_EXTENDED 725 uint32 id 726 string "users-groups-by-id@openssh.com" 727 string uids 728 string gids 729 730Where "uids" and "gids" consists of one or more integer user or group 731identifiers: 732 733 uint32 id-0 734 ... 735 736The server will reply with a SSH_FXP_EXTENDED_REPLY: 737 738 byte SSH_FXP_EXTENDED_REPLY 739 uint32 id 740 string usernames 741 string groupnames 742 743Where "username" and "groupnames" consists of names in identical request 744order to "uids" and "gids" respectively: 745 746 string name-0 747 ... 748 749If a name cannot be identified for a given user or group ID, an empty 750string will be returned in its place. 751 752It is acceptable for either "uids" or "gids" to be an empty set, in 753which case the respective "usernames" or "groupnames" list will also 754be empty. 755 756This extension is advertised in the SSH_FXP_VERSION hello with version 757"1". 758 7595. Miscellaneous changes 760 7615.1 Public key format 762 763OpenSSH public keys, as generated by ssh-keygen(1) and appearing in 764authorized_keys files, are formatted as a single line of text consisting 765of the public key algorithm name followed by a base64-encoded key blob. 766The public key blob (before base64 encoding) is the same format used for 767the encoding of public keys sent on the wire: as described in RFC4253 768section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys 769and the "New public key formats" section of PROTOCOL.certkeys for the 770OpenSSH certificate formats. 771 7725.2 Private key format 773 774OpenSSH private keys, as generated by ssh-keygen(1) use the format 775described in PROTOCOL.key by default. As a legacy option, PEM format 776(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys 777and were the default format before OpenSSH 7.8. 778 7795.3 KRL format 780 781OpenSSH supports a compact format for Key Revocation Lists (KRLs). This 782format is described in the PROTOCOL.krl file. 783 7845.4 Connection multiplexing 785 786OpenSSH's connection multiplexing uses messages as described in 787PROTOCOL.mux over a Unix domain socket for communications between a 788master instance and later clients. 789 7905.5. Agent protocol extensions 791 792OpenSSH extends the usual agent protocol. These changes are documented 793in the PROTOCOL.agent file. 794 795$OpenBSD: PROTOCOL,v 1.55 2024/01/08 05:05:15 djm Exp $ 796