1This documents OpenSSH's deviations and extensions to the published SSH 2protocol. 3 4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5filexfer protocol described in: 6 7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8 9Newer versions of the draft will not be supported, though some features 10are individually implemented as extensions described below. 11 12The protocol used by OpenSSH's ssh-agent is described in the file 13PROTOCOL.agent 14 151. Transport protocol changes 16 171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 18 19This is a new transport-layer MAC method using the UMAC algorithm 20(rfc4418). This method is identical to the "umac-64" method documented 21in: 22 23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24 251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 26 27This transport-layer compression method uses the zlib compression 28algorithm (identical to the "zlib" method in rfc4253), but delays the 29start of compression until after authentication has completed. This 30avoids exposing compression code to attacks from unauthenticated users. 31 32The method is documented in: 33 34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35 361.3. transport: New public key algorithms "ssh-rsa-cert-v01@openssh.com", 37 "ssh-dsa-cert-v01@openssh.com", 38 "ecdsa-sha2-nistp256-cert-v01@openssh.com", 39 "ecdsa-sha2-nistp384-cert-v01@openssh.com" and 40 "ecdsa-sha2-nistp521-cert-v01@openssh.com" 41 42OpenSSH introduces new public key algorithms to support certificate 43authentication for users and host keys. These methods are documented 44in the file PROTOCOL.certkeys 45 461.4. transport: Elliptic Curve cryptography 47 48OpenSSH supports ECC key exchange and public key authentication as 49specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 50and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 51curve points encoded using point compression are NOT accepted or 52generated. 53 541.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 55 56OpenSSH supports MAC algorithms, whose names contain "-etm", that 57perform the calculations in a different order to that defined in RFC 584253. These variants use the so-called "encrypt then MAC" ordering, 59calculating the MAC over the packet ciphertext rather than the 60plaintext. This ordering closes a security flaw in the SSH transport 61protocol, where decryption of unauthenticated ciphertext provided a 62"decryption oracle" that could, in conjunction with cipher flaws, reveal 63session plaintext. 64 65Specifically, the "-etm" MAC algorithms modify the transport protocol 66to calculate the MAC over the packet ciphertext and to send the packet 67length unencrypted. This is necessary for the transport to obtain the 68length of the packet and location of the MAC tag so that it may be 69verified without decrypting unauthenticated data. 70 71As such, the MAC covers: 72 73 mac = MAC(key, sequence_number || packet_length || encrypted_packet) 74 75where "packet_length" is encoded as a uint32 and "encrypted_packet" 76contains: 77 78 byte padding_length 79 byte[n1] payload; n1 = packet_length - padding_length - 1 80 byte[n2] random padding; n2 = padding_length 81 821.6 transport: AES-GCM 83 84OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 85Because of problems with the specification of the key exchange 86the behaviour of OpenSSH differs from the RFC as follows: 87 88AES-GCM is only negotiated as the cipher algorithms 89"aes128-gcm@openssh.com" or "aes256-gcm@openssh.com" and never as 90an MAC algorithm. Additionally, if AES-GCM is selected as the cipher 91the exchanged MAC algorithms are ignored and there doesn't have to be 92a matching MAC. 93 941.7 transport: chacha20-poly1305@openssh.com authenticated encryption 95 96OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 97as described in PROTOCOL.chacha20poly1305. 98 991.8 transport: curve25519-sha256@libssh.org key exchange algorithm 100 101OpenSSH supports the use of ECDH in Curve25519 for key exchange as 102described at: 103http://git.libssh.org/users/aris/libssh.git/plain/doc/curve25519-sha256@libssh.org.txt?h=curve25519 104 105This is identical to curve25519-sha256 as later published in RFC8731. 106 1071.9 transport: ping facility 108 109OpenSSH implements a transport level ping message SSH2_MSG_PING 110and a corresponding SSH2_MSG_PONG reply. 111 112#define SSH2_MSG_PING 192 113#define SSH2_MSG_PONG 193 114 115The ping message is simply: 116 117 byte SSH_MSG_PING 118 string data 119 120The reply copies the data (which may be the empty string) from the 121ping: 122 123 byte SSH_MSG_PONG 124 string data 125 126Replies are sent in order. They are sent immediately except when rekeying 127is in progress, in which case they are queued until rekeying completes. 128 129The server advertises support for these messages using the 130SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message: 131 132 string "ping@openssh.com" 133 string "0" (version) 134 135The ping/reply message is implemented at the transport layer rather 136than as a named global or channel request to allow pings with very 137short packet lengths, which would not be possible with other 138approaches. 139 1402. Connection protocol changes 141 1422.1. connection: Channel write close extension "eow@openssh.com" 143 144The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 145message to allow an endpoint to signal its peer that it will send no 146more data over a channel. Unfortunately, there is no symmetric way for 147an endpoint to request that its peer should cease sending data to it 148while still keeping the channel open for the endpoint to send data to 149the peer. 150 151This is desirable, since it saves the transmission of data that would 152otherwise need to be discarded and it allows an endpoint to signal local 153processes of the condition, e.g. by closing the corresponding file 154descriptor. 155 156OpenSSH implements a channel extension message to perform this 157signalling: "eow@openssh.com" (End Of Write). This message is sent by 158an endpoint when the local output of a session channel is closed or 159experiences a write error. The message is formatted as follows: 160 161 byte SSH_MSG_CHANNEL_REQUEST 162 uint32 recipient channel 163 string "eow@openssh.com" 164 boolean FALSE 165 166On receiving this message, the peer SHOULD cease sending data of 167the channel and MAY signal the process from which the channel data 168originates (e.g. by closing its read file descriptor). 169 170As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 171remain open after a "eow@openssh.com" has been sent and more data may 172still be sent in the other direction. This message does not consume 173window space and may be sent even if no window space is available. 174 175NB. due to certain broken SSH implementations aborting upon receipt 176of this message (in contravention of RFC4254 section 5.4), this 177message is only sent to OpenSSH peers (identified by banner). 178Other SSH implementations may be listed to receive this message 179upon request. 180 1812.2. connection: disallow additional sessions extension 182 "no-more-sessions@openssh.com" 183 184Most SSH connections will only ever request a single session, but a 185attacker may abuse a running ssh client to surreptitiously open 186additional sessions under their control. OpenSSH provides a global 187request "no-more-sessions@openssh.com" to mitigate this attack. 188 189When an OpenSSH client expects that it will never open another session 190(i.e. it has been started with connection multiplexing disabled), it 191will send the following global request: 192 193 byte SSH_MSG_GLOBAL_REQUEST 194 string "no-more-sessions@openssh.com" 195 char want-reply 196 197On receipt of such a message, an OpenSSH server will refuse to open 198future channels of type "session" and instead immediately abort the 199connection. 200 201Note that this is not a general defence against compromised clients 202(that is impossible), but it thwarts a simple attack. 203 204NB. due to certain broken SSH implementations aborting upon receipt 205of this message, the no-more-sessions request is only sent to OpenSSH 206servers (identified by banner). Other SSH implementations may be 207listed to receive this message upon request. 208 2092.3. connection: Tunnel forward extension "tun@openssh.com" 210 211OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 212channel type. This channel type supports forwarding of network packets 213with datagram boundaries intact between endpoints equipped with 214interfaces like the BSD tun(4) device. Tunnel forwarding channels are 215requested by the client with the following packet: 216 217 byte SSH_MSG_CHANNEL_OPEN 218 string "tun@openssh.com" 219 uint32 sender channel 220 uint32 initial window size 221 uint32 maximum packet size 222 uint32 tunnel mode 223 uint32 remote unit number 224 225The "tunnel mode" parameter specifies whether the tunnel should forward 226layer 2 frames or layer 3 packets. It may take one of the following values: 227 228 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 229 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 230 231The "tunnel unit number" specifies the remote interface number, or may 232be 0x7fffffff to allow the server to automatically choose an interface. A 233server that is not willing to open a client-specified unit should refuse 234the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 235open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 236 237Once established the client and server may exchange packet or frames 238over the tunnel channel by encapsulating them in SSH protocol strings 239and sending them as channel data. This ensures that packet boundaries 240are kept intact. Specifically, packets are transmitted using normal 241SSH_MSG_CHANNEL_DATA packets: 242 243 byte SSH_MSG_CHANNEL_DATA 244 uint32 recipient channel 245 string data 246 247The contents of the "data" field for layer 3 packets is: 248 249 uint32 packet length 250 uint32 address family 251 byte[packet length - 4] packet data 252 253The "address family" field identifies the type of packet in the message. 254It may be one of: 255 256 SSH_TUN_AF_INET 2 /* IPv4 */ 257 SSH_TUN_AF_INET6 24 /* IPv6 */ 258 259The "packet data" field consists of the IPv4/IPv6 datagram itself 260without any link layer header. 261 262The contents of the "data" field for layer 2 packets is: 263 264 uint32 packet length 265 byte[packet length] frame 266 267The "frame" field contains an IEEE 802.3 Ethernet frame, including 268header. 269 2702.4. connection: Unix domain socket forwarding 271 272OpenSSH supports local and remote Unix domain socket forwarding 273using the "streamlocal" extension. Forwarding is initiated as per 274TCP sockets but with a single path instead of a host and port. 275 276Similar to direct-tcpip, direct-streamlocal is sent by the client 277to request that the server make a connection to a Unix domain socket. 278 279 byte SSH_MSG_CHANNEL_OPEN 280 string "direct-streamlocal@openssh.com" 281 uint32 sender channel 282 uint32 initial window size 283 uint32 maximum packet size 284 string socket path 285 string reserved 286 uint32 reserved 287 288Similar to forwarded-tcpip, forwarded-streamlocal is sent by the 289server when the client has previously send the server a streamlocal-forward 290GLOBAL_REQUEST. 291 292 byte SSH_MSG_CHANNEL_OPEN 293 string "forwarded-streamlocal@openssh.com" 294 uint32 sender channel 295 uint32 initial window size 296 uint32 maximum packet size 297 string socket path 298 string reserved for future use 299 300The reserved field is not currently defined and is ignored on the 301remote end. It is intended to be used in the future to pass 302information about the socket file, such as ownership and mode. 303The client currently sends the empty string for this field. 304 305Similar to tcpip-forward, streamlocal-forward is sent by the client 306to request remote forwarding of a Unix domain socket. 307 308 byte SSH2_MSG_GLOBAL_REQUEST 309 string "streamlocal-forward@openssh.com" 310 boolean TRUE 311 string socket path 312 313Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent 314by the client cancel the forwarding of a Unix domain socket. 315 316 byte SSH2_MSG_GLOBAL_REQUEST 317 string "cancel-streamlocal-forward@openssh.com" 318 boolean FALSE 319 string socket path 320 3212.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" 322and "hostkeys-prove-00@openssh.com" 323 324OpenSSH supports a protocol extension allowing a server to inform 325a client of all its protocol v.2 host keys after user-authentication 326has completed. 327 328 byte SSH_MSG_GLOBAL_REQUEST 329 string "hostkeys-00@openssh.com" 330 char 0 /* want-reply */ 331 string[] hostkeys 332 333Upon receiving this message, a client should check which of the 334supplied host keys are present in known_hosts. 335 336Note that the server may send key types that the client does not 337support. The client should disregard such keys if they are received. 338 339If the client identifies any keys that are not present for the host, 340it should send a "hostkeys-prove@openssh.com" message to request the 341server prove ownership of the private half of the key. 342 343 byte SSH_MSG_GLOBAL_REQUEST 344 string "hostkeys-prove-00@openssh.com" 345 char 1 /* want-reply */ 346 string[] hostkeys 347 348When a server receives this message, it should generate a signature 349using each requested key over the following: 350 351 string "hostkeys-prove-00@openssh.com" 352 string session identifier 353 string hostkey 354 355These signatures should be included in the reply, in the order matching 356the hostkeys in the request: 357 358 byte SSH_MSG_REQUEST_SUCCESS 359 string[] signatures 360 361When the client receives this reply (and not a failure), it should 362validate the signatures and may update its known_hosts file, adding keys 363that it has not seen before and deleting keys for the server host that 364are no longer offered. 365 366These extensions let a client learn key types that it had not previously 367encountered, thereby allowing it to potentially upgrade from weaker 368key algorithms to better ones. It also supports graceful key rotation: 369a server may offer multiple keys of the same type for a period (to 370give clients an opportunity to learn them using this extension) before 371removing the deprecated key from those offered. 372 3732.6. connection: SIGINFO support for "signal" channel request 374 375The SSH channels protocol (RFC4254 section 6.9) supports sending a 376signal to a session attached to a channel. OpenSSH supports one 377extension signal "INFO@openssh.com" that allows sending SIGINFO on 378BSD-derived systems. 379 3803. Authentication protocol changes 381 3823.1. Host-bound public key authentication 383 384This is trivial change to the traditional "publickey" authentication 385method. The authentication request is identical to the original method 386but for the name and one additional field: 387 388 byte SSH2_MSG_USERAUTH_REQUEST 389 string username 390 string "ssh-connection" 391 string "publickey-hostbound-v00@openssh.com" 392 bool has_signature 393 string pkalg 394 string public key 395 string server host key 396 397Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in 398the signed data, this ensures that a binding between the destination 399user, the server identity and the session identifier is visible to the 400signer. OpenSSH uses this binding via signed data to implement per-key 401restrictions in ssh-agent. 402 403A server may advertise this method using the SSH2_MSG_EXT_INFO 404mechanism (RFC8308), with the following message: 405 406 string "publickey-hostbound@openssh.com" 407 string "0" (version) 408 409Clients should prefer host-bound authentication when advertised by 410server. 411 4124. SFTP protocol changes 413 4144.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 415 416When OpenSSH's sftp-server was implemented, the order of the arguments 417to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 418the reversal was not noticed until the server was widely deployed. Since 419fixing this to follow the specification would cause incompatibility, the 420current order was retained. For correct operation, clients should send 421SSH_FXP_SYMLINK as follows: 422 423 uint32 id 424 string targetpath 425 string linkpath 426 4274.2. sftp: Server extension announcement in SSH_FXP_VERSION 428 429OpenSSH's sftp-server lists the extensions it supports using the 430standard extension announcement mechanism in the SSH_FXP_VERSION server 431hello packet: 432 433 uint32 3 /* protocol version */ 434 string ext1-name 435 string ext1-version 436 string ext2-name 437 string ext2-version 438 ... 439 string extN-name 440 string extN-version 441 442Each extension reports its integer version number as an ASCII encoded 443string, e.g. "1". The version will be incremented if the extension is 444ever changed in an incompatible way. The server MAY advertise the same 445extension with multiple versions (though this is unlikely). Clients MUST 446check the version number before attempting to use the extension. 447 4484.3. sftp: Extension request "posix-rename@openssh.com" 449 450This operation provides a rename operation with POSIX semantics, which 451are different to those provided by the standard SSH_FXP_RENAME in 452draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 453SSH_FXP_EXTENDED request with the following format: 454 455 uint32 id 456 string "posix-rename@openssh.com" 457 string oldpath 458 string newpath 459 460On receiving this request the server will perform the POSIX operation 461rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 462This extension is advertised in the SSH_FXP_VERSION hello with version 463"1". 464 4654.4. sftp: Extension requests "statvfs@openssh.com" and 466 "fstatvfs@openssh.com" 467 468These requests correspond to the statvfs and fstatvfs POSIX system 469interfaces. The "statvfs@openssh.com" request operates on an explicit 470pathname, and is formatted as follows: 471 472 uint32 id 473 string "statvfs@openssh.com" 474 string path 475 476The "fstatvfs@openssh.com" operates on an open file handle: 477 478 uint32 id 479 string "fstatvfs@openssh.com" 480 string handle 481 482These requests return a SSH_FXP_STATUS reply on failure. On success they 483return the following SSH_FXP_EXTENDED_REPLY reply: 484 485 uint32 id 486 uint64 f_bsize /* file system block size */ 487 uint64 f_frsize /* fundamental fs block size */ 488 uint64 f_blocks /* number of blocks (unit f_frsize) */ 489 uint64 f_bfree /* free blocks in file system */ 490 uint64 f_bavail /* free blocks for non-root */ 491 uint64 f_files /* total file inodes */ 492 uint64 f_ffree /* free file inodes */ 493 uint64 f_favail /* free file inodes for to non-root */ 494 uint64 f_fsid /* file system id */ 495 uint64 f_flag /* bit mask of f_flag values */ 496 uint64 f_namemax /* maximum filename length */ 497 498The values of the f_flag bitmask are as follows: 499 500 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 501 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 502 503Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 504advertised in the SSH_FXP_VERSION hello with version "2". 505 5064.5. sftp: Extension request "hardlink@openssh.com" 507 508This request is for creating a hard link to a regular file. This 509request is implemented as a SSH_FXP_EXTENDED request with the 510following format: 511 512 uint32 id 513 string "hardlink@openssh.com" 514 string oldpath 515 string newpath 516 517On receiving this request the server will perform the operation 518link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 519This extension is advertised in the SSH_FXP_VERSION hello with version 520"1". 521 5224.6. sftp: Extension request "fsync@openssh.com" 523 524This request asks the server to call fsync(2) on an open file handle. 525 526 uint32 id 527 string "fsync@openssh.com" 528 string handle 529 530On receiving this request, a server will call fsync(handle_fd) and will 531respond with a SSH_FXP_STATUS message. 532 533This extension is advertised in the SSH_FXP_VERSION hello with version 534"1". 535 5364.7. sftp: Extension request "lsetstat@openssh.com" 537 538This request is like the "setstat" command, but sets file attributes on 539symlinks. It is implemented as a SSH_FXP_EXTENDED request with the 540following format: 541 542 uint32 id 543 string "lsetstat@openssh.com" 544 string path 545 ATTRS attrs 546 547See the "setstat" command for more details. 548 549This extension is advertised in the SSH_FXP_VERSION hello with version 550"1". 551 5524.8. sftp: Extension request "limits@openssh.com" 553 554This request is used to determine various limits the server might impose. 555Clients should not attempt to exceed these limits as the server might sever 556the connection immediately. 557 558 uint32 id 559 string "limits@openssh.com" 560 561The server will respond with a SSH_FXP_EXTENDED_REPLY reply: 562 563 uint32 id 564 uint64 max-packet-length 565 uint64 max-read-length 566 uint64 max-write-length 567 uint64 max-open-handles 568 569The 'max-packet-length' applies to the total number of bytes in a 570single SFTP packet. Servers SHOULD set this at least to 34000. 571 572The 'max-read-length' is the largest length in a SSH_FXP_READ packet. 573Even if the client requests a larger size, servers will usually respond 574with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to 57532768. 576 577The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet 578the server will accept. Servers SHOULD set this at least to 32768. 579 580The 'max-open-handles' is the maximum number of active handles that the 581server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR 582packets). Servers MAY count internal file handles against this limit 583(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to 584open this many handles in practice. 585 586If the server doesn't enforce a specific limit, then the field may be 587set to 0. This implies the server relies on the OS to enforce limits 588(e.g. available memory or file handles), and such limits might be 589dynamic. The client SHOULD take care to not try to exceed reasonable 590limits. 591 592This extension is advertised in the SSH_FXP_VERSION hello with version 593"1". 594 5954.9. sftp: Extension request "expand-path@openssh.com" 596 597This request supports canonicalisation of relative paths and 598those that need tilde-expansion, i.e. "~", "~/..." and "~user/..." 599These paths are expanded using shell-like rules and the resultant 600path is canonicalised similarly to SSH2_FXP_REALPATH. 601 602It is implemented as a SSH_FXP_EXTENDED request with the following 603format: 604 605 uint32 id 606 string "expand-path@openssh.com" 607 string path 608 609Its reply is the same format as that of SSH2_FXP_REALPATH. 610 611This extension is advertised in the SSH_FXP_VERSION hello with version 612"1". 613 6144.10. sftp: Extension request "copy-data" 615 616This request asks the server to copy data from one open file handle and 617write it to a different open file handle. This avoids needing to transfer 618the data across the network twice (a download followed by an upload). 619 620 byte SSH_FXP_EXTENDED 621 uint32 id 622 string "copy-data" 623 string read-from-handle 624 uint64 read-from-offset 625 uint64 read-data-length 626 string write-to-handle 627 uint64 write-to-offset 628 629The server will copy read-data-length bytes starting from 630read-from-offset from the read-from-handle and write them to 631write-to-handle starting from write-to-offset, and then respond with a 632SSH_FXP_STATUS message. 633 634It's equivalent to issuing a series of SSH_FXP_READ requests on 635read-from-handle and a series of requests of SSH_FXP_WRITE on 636write-to-handle. 637 638If read-from-handle and write-to-handle are the same, the server will 639fail the request and respond with a SSH_FX_INVALID_PARAMETER message. 640 641If read-data-length is 0, then the server will read data from the 642read-from-handle until EOF is reached. 643 644This extension is advertised in the SSH_FXP_VERSION hello with version 645"1". 646 647This request is identical to the "copy-data" request documented in: 648 649https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7 650 6514.11. sftp: Extension request "home-directory" 652 653This request asks the server to expand the specified user's home directory. 654An empty username implies the current user. This can be used by the client 655to expand ~/ type paths locally. 656 657 byte SSH_FXP_EXTENDED 658 uint32 id 659 string "home-directory" 660 string username 661 662This extension is advertised in the SSH_FXP_VERSION hello with version 663"1". 664 665This provides similar information as the "expand-path@openssh.com" extension. 666 667This request is identical to the "home-directory" request documented in: 668 669https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5 670 6714.12. sftp: Extension request "users-groups-by-id@openssh.com" 672 673This request asks the server to return user and/or group names that 674correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT 675request). This may be used by the client to provide usernames in 676directory listings. 677 678 byte SSH_FXP_EXTENDED 679 uint32 id 680 string "users-groups-by-id@openssh.com" 681 string uids 682 string gids 683 684Where "uids" and "gids" consists of one or more integer user or group 685identifiers: 686 687 uint32 id-0 688 ... 689 690The server will reply with a SSH_FXP_EXTENDED_REPLY: 691 692 byte SSH_FXP_EXTENDED_REPLY 693 string usernames 694 string groupnames 695 696Where "username" and "groupnames" consists of names in identical request 697order to "uids" and "gids" respectively: 698 699 string name-0 700 ... 701 702If a name cannot be identified for a given user or group ID, an empty 703string will be returned in its place. 704 705It is acceptable for either "uids" or "gids" to be an empty set, in 706which case the respective "usernames" or "groupnames" list will also 707be empty. 708 709This extension is advertised in the SSH_FXP_VERSION hello with version 710"1". 711 7125. Miscellaneous changes 713 7145.1 Public key format 715 716OpenSSH public keys, as generated by ssh-keygen(1) and appearing in 717authorized_keys files, are formatted as a single line of text consisting 718of the public key algorithm name followed by a base64-encoded key blob. 719The public key blob (before base64 encoding) is the same format used for 720the encoding of public keys sent on the wire: as described in RFC4253 721section 6.6 for RSA and DSA keys, RFC5656 section 3.1 for ECDSA keys 722and the "New public key formats" section of PROTOCOL.certkeys for the 723OpenSSH certificate formats. 724 7255.2 Private key format 726 727OpenSSH private keys, as generated by ssh-keygen(1) use the format 728described in PROTOCOL.key by default. As a legacy option, PEM format 729(RFC7468) private keys are also supported for RSA, DSA and ECDSA keys 730and were the default format before OpenSSH 7.8. 731 7325.3 KRL format 733 734OpenSSH supports a compact format for Key Revocation Lists (KRLs). This 735format is described in the PROTOCOL.krl file. 736 7375.4 Connection multiplexing 738 739OpenSSH's connection multiplexing uses messages as described in 740PROTOCOL.mux over a Unix domain socket for communications between a 741master instance and later clients. 742 7435.5. Agent protocol extensions 744 745OpenSSH extends the usual agent protocol. These changes are documented 746in the PROTOCOL.agent file. 747 748$OpenBSD: PROTOCOL,v 1.49 2023/08/28 03:28:43 djm Exp $ 749