| version 1.25, 2015/01/26 03:04:45 |
version 1.26, 2015/02/16 22:13:32 |
|
|
| "ecdsa-sha2-nistp521-cert-v01@openssh.com" |
"ecdsa-sha2-nistp521-cert-v01@openssh.com" |
| |
|
| OpenSSH introduces new public key algorithms to support certificate |
OpenSSH introduces new public key algorithms to support certificate |
| authentication for users and hostkeys. These methods are documented in |
authentication for users and host keys. These methods are documented |
| the file PROTOCOL.certkeys |
in the file PROTOCOL.certkeys |
| |
|
| 1.4. transport: Elliptic Curve cryptography |
1.4. transport: Elliptic Curve cryptography |
| |
|
|
|
| string socket path |
string socket path |
| |
|
| 2.5. connection: hostkey update and rotation "hostkeys@openssh.com" |
2.5. connection: hostkey update and rotation "hostkeys@openssh.com" |
| |
and "hostkeys-prove@openssh.com" |
| |
|
| OpenSSH supports a protocol extension allowing a server to inform |
OpenSSH supports a protocol extension allowing a server to inform |
| a client of all its protocol v.2 hostkeys after user-authentication |
a client of all its protocol v.2 host keys after user-authentication |
| has completed. |
has completed. |
| |
|
| byte SSH_MSG_GLOBAL_REQUEST |
byte SSH_MSG_GLOBAL_REQUEST |
| string "hostkeys@openssh.com" |
string "hostkeys@openssh.com" |
| string[] hostkeys |
string[] hostkeys |
| |
|
| Upon receiving this message, a client may update its known_hosts |
Upon receiving this message, a client should check which of the |
| file, adding keys that it has not seen before and deleting keys |
supplied host keys are present in known_hosts. For keys that are |
| for the server host that are no longer offered. |
not present, it should send a "hostkeys-prove@openssh.com" message |
| |
to request the server prove ownership of the private half of the |
| |
key. |
| |
|
| This extension allows a client to learn key types that it had |
byte SSH_MSG_GLOBAL_REQUEST |
| not previously encountered, thereby allowing it to potentially |
string "hostkeys-prove@openssh.com" |
| upgrade from weaker key algorithms to better ones. It also |
char 1 /* want-reply */ |
| supports graceful key rotation: a server may offer multiple keys |
string[] hostkeys |
| of the same type for a period (to give clients an opportunity to |
|
| learn them using this extension) before removing the deprecated |
When a server receives this message, it should generate a signature |
| key from those offered. |
using each requested key over the following: |
| |
|
| |
string session identifier |
| |
string "hostkeys-prove@openssh.com" |
| |
string hostkey |
| |
|
| |
These signatures should be included in the reply, in the order matching |
| |
the hostkeys in the request: |
| |
|
| |
byte SSH_MSG_REQUEST_SUCCESS |
| |
string[] signatures |
| |
|
| |
When the client receives this reply (and not a failure), it should |
| |
validate the signatures and may update its known_hosts file, adding keys |
| |
that it has not seen before and deleting keys for the server host that |
| |
are no longer offered. |
| |
|
| |
These extensions let a client learn key types that it had not previously |
| |
encountered, thereby allowing it to potentially upgrade from weaker |
| |
key algorithms to better ones. It also supports graceful key rotation: |
| |
a server may offer multiple keys of the same type for a period (to |
| |
give clients an opportunity to learn them using this extension) before |
| |
removing the deprecated key from those offered. |
| |
|
| 3. SFTP protocol changes |
3. SFTP protocol changes |
| |
|
![[BACK]](/icons/back.gif){kind=icon}
Return to PROTOCOL CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / src / usr.bin / ssh