File: [local] / www / openssh / specs.html (download) (as text)
Revision 1.78, Sat Apr 20 21:41:42 2024 UTC (5 weeks, 4 days ago) by bentley
Branch: MAIN
CVS Tags: HEAD
Changes since 1.77: +1 -1 lines
Fix unintentional rendering errors, caught with the validator.
|
<!doctype html>
<html lang=en>
<meta charset=utf-8>
<title>OpenSSH: Specifications</title>
<meta name="description" content="the OpenSSH specifications page">
<meta name="viewport" content="width=device-width, initial-scale=1">
<link rel="canonical" href="https://www.openssh.com/specs.html">
<link rel="stylesheet" type="text/css" href="openbsd.css">
<h2 id=OpenBSD>
<a href="/">
<i>Open</i><b>SSH</b></a>
Specifications
</h2>
<hr>
<p>
OpenSSH implements the following specifications. Where versions
are noted, support for the corresponding specification was added
or removed in that OpenSSH version.
<h3>SSH protocol version 2 Core RFCs</h3>
<p>
Source: <a href="https://datatracker.ietf.org/wg/secsh/">secsh working group</a>
<table>
<tr>
<th>Specification
<th>Description
<tr>
<td><a href=https://tools.ietf.org/html/rfc4250>RFC4250</a>
<td>SSH Protocol Assigned Numbers
<tr>
<td><a href=https://tools.ietf.org/html/rfc4251>RFC4251</a>
<td>SSH Protocol Architecture
<tr>
<td><a href=https://tools.ietf.org/html/rfc4252>RFC4252</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4252"
title="errata">(e)</a>
<td>SSH Authentication Protocol
<tr>
<td><a href=https://tools.ietf.org/html/rfc4253>RFC4253</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4253"
title="errata">(e)</a>
<td>SSH Transport Layer Protocol
<tr>
<td><a href=https://tools.ietf.org/html/rfc4254>RFC4254</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4254"
title="errata">(e)</a>
<td>SSH Connection Protocol
</table>
<h3>SSH protocol version 2 Extension RFCs</h3>
<table>
<tr>
<th>Specification
<th>Versions
<th>Description
<tr>
<td><a href=https://tools.ietf.org/html/rfc4255>RFC4255</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4255"
title="errata">(e)</a>
<td>
<td>Using DNS to Securely Publish SSH Key Fingerprints (SSHFP)
<tr>
<td><a href=https://tools.ietf.org/html/rfc4256>RFC4256</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4256"
title="errata">(e)</a>
<td>
<td>Generic Message Exchange Authentication (aka <code>keyboard-interactive</code>)
<tr>
<td><a href=https://tools.ietf.org/html/rfc4335>RFC4335</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4335"
title="errata">(e)</a>
<td>
<td>SSH Session Channel Break Extension
<tr>
<td><a href=https://tools.ietf.org/html/rfc4344>RFC4344</a>
<td>
<td>SSH Transport Layer Encryption Modes (<code>aes128-ctr</code>,
<code>aes192-ctr</code>, <code>aes256-ctr</code>)
<tr>
<td><a href=https://tools.ietf.org/html/rfc4345>RFC4345</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4345"
title="errata">(e)</a>
<td><a href=releasenotes.html#4.1>4.1</a
>-<a href=releasenotes.html#7.6>7.6</a>
<td>Improved Arcfour Modes for the SSH Transport Layer Protocol
<tr>
<td><a href=https://tools.ietf.org/html/rfc4419>RFC4419</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4419"
title="errata">(e)</a>
<td>
<td>Diffie-Hellman Group Exchange
<tr>
<td><a href=https://tools.ietf.org/html/rfc4462>RFC4462</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=4462"
title="errata">(e)</a>
<td>
<td>GSS-API Authentication and Key Exchange (only authentication implemented)
<tr>
<td><a href=https://tools.ietf.org/html/rfc4716>RFC4716</a>
<td>
<td>SSH Public Key File Format (import and export via
<a href= "https://man.openbsd.org/ssh-keygen.1"
>ssh-keygen</a> only).
<tr>
<td><a href=https://tools.ietf.org/html/rfc5656>RFC5656</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=5656"
title="errata">(e)</a>
<td>
<td>Elliptic Curve Algorithm Integration in SSH
<tr>
<td><a href=https://tools.ietf.org/html/rfc6594>RFC6594</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=6594"
title="errata">(e)</a>
<td><a href=releasenotes.html#6.1>6.1</a>-
<td>SHA-256 SSHFP Resource Records
<tr>
<td><a href=https://tools.ietf.org/html/rfc6668>RFC6668</a>
<td><a href=releasenotes.html#5.9>5.9</a>-
<td>SHA-2 Data Integrity Algorithms (<code>hmac-sha2-256</code>,
<code>hmac-sha2-512</code>)
<tr>
<td><a href=https://tools.ietf.org/html/rfc7479>RFC7479</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=7479"
title="errata">(e)</a>
<td><a href=releasenotes.html#6.5>6.5</a>-
<td>ED25519 SSHFP Resource Records
<tr>
<td><a href="https://tools.ietf.org/html/rfc8160">RFC8160</a>
<td><a href=releasenotes.html#7.3>7.3</a>-
<td>IUTF8 Terminal Mode
<tr>
<td><a href="https://tools.ietf.org/html/rfc8270">RFC8270</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=8270"
title="errata">(e)</a>
<td><a href=releasenotes.html#7.2>7.1</a>-
<td>Increase Diffie-Hellman Modulus Size
<tr>
<td><a href="https://tools.ietf.org/html/rfc8308">RFC8308</a>
<td><a href=releasenotes.html#7.2>7.2</a>-
<td>Extension Negotiation in the Secure Shell (SSH) Protocol
(<code>ext-info-s</code>, <code>ext-info-c</code>)
<tr>
<td><a href="https://tools.ietf.org/html/rfc8332">RFC8332</a>
<td><a href=releasenotes.html#7.2>7.2</a>-
<td>Use of RSA Keys with SHA-2 (<code>rsa-sha2-256</code>,
<code>rsa-sha2-512</code>)
<tr>
<td><a href="https://tools.ietf.org/html/rfc8709">RFC8709</a>
<a href="https://www.rfc-editor.org/errata_search.php?rfc=8709"
title="errata">(e)</a>
<td><a href=releasenotes.html#6.5>6.5</a>-
<td>Ed25519 and Ed448 Public Key Algorithms (<code>ssh-ed25519</code> only)
<tr>
<td><a href="https://tools.ietf.org/html/rfc8731">RFC8731</a>
<td><a href=releasenotes.html#7.3>7.3</a>-
<td>Key Exchange Method Using Curve25519 and Curve448
(<code>curve25519-sha256</code> only)
</table>
<h3>SSH protocol version 2 draft specifications</h3>
<table>
<tr>
<th>Specification
<th>Versions
<th>Description
<tr>
<td><a href="https://tools.ietf.org/html/draft-ietf-secsh-filexfer-02"
>draft-ietf-secsh-filexfer-02</a>
<td>
<td>SSH File Transfer Protocol version 3
<tr>
<td><a href="https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00"
>draft-ietf-secsh-filexfer-extensions-00</a>
<td><a href=releasenotes.html#9.0>9.0</a>-
<td>SFTP extension
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-7"
><code>copy-data</code></a>
<tr>
<td><a href="https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00"
>draft-ietf-secsh-filexfer-extensions-00</a>
<td><a href=releasenotes.html#9.1>9.1</a>-
<td>SFTP extension
<a href="https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5"
><code>home-directory</code></a>
<tr>
<td><a href="https://tools.ietf.org/html/draft-ietf-curdle-ssh-kex-sha2-03"
>draft-ietf-curdle-ssh-kex-sha2-03</a>
<td><a href=releasenotes.html#7.3>7.3</a>-
<td>Key Exchange (KEX) Method Updates and Recommendations
<tr>
<td><a
href="https://tools.ietf.org/html/draft-ietf-secsh-scp-sftp-ssh-uri-04"
>draft-ietf-secsh-scp-sftp-ssh-uri-04</a>
<td><a href=releasenotes.html#7.6>7.6</a>-
<td>Uniform Resource Identifier (URI) Scheme for SSH and SFTP (with the
exception of fingerprint)
</table>
<h3>SSH protocol version 2 vendor extensions</h3>
<table>
<tr>
<th>Specification
<th>Versions
<th>Description
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL?annotate=HEAD"
>PROTOCOL</a>
<td>
<td>An overview of all vendor extensions detailed below, and the
specifications of the following protocol extensions:
<ul>
<li>SSH2 connection:
<ul>
<li><code>eow@openssh.com</code>,
<code>no-more-sessions@openssh.com</code>
<li><code>hostkeys-00@openssh.com</code>,
<code>hostkeys-prove-00@openssh.com</code> (hostkey rotation)
<li><code>tun@openssh.com</code> (layer 2 and 3 tunnelling)
<li><code>direct-streamlocal@openssh.com</code>,
<code>forwarded-streamlocal@openssh.com</code>,
<code>streamlocal-forward@openssh.com</code>,
<code>cancel-streamlocal-forward@openssh.com</code>
(Unix domain socket forwarding)
<li><code>INFO@openssh.com</code> (BSD SIGINFO)
<li><code>publickey-hostbound-v00@openssh.com</code> (host-bound
public key authentication)
</ul>
<li>SSH2 transport ciphers: <code>aes128-gcm@openssh.com</code>,
<code>aes256-gcm@openssh.com</code>
<li>SSH2 transport MACs: <code>hmac-sha1-etm@openssh.com</code>,
<code>hmac-sha1-96-etm@openssh.com</code>,
<code>hmac-sha2-256-etm@openssh.com</code>,
<code>hmac-sha2-512-etm@openssh.com</code>,
<code>hmac-md5-etm@openssh.com</code>,
<code>hmac-md5-96-etm@openssh.com</code>,
<code>umac-64-etm@openssh.com</code>,
<code>umac-128-etm@openssh.com</code>
<li>SFTP: <code>posix-rename@openssh.com</code>,
<code>statvfs@openssh.com</code>, <code>fstatvfs@openssh.com</code>,
<code>hardlink@openssh.com</code>, <code>fsync@openssh.com</code>,
<code>lesetstat@openssh.com</code>, <code>limits@openssh.com</code>,
<code>expand-path@openssh.com</code>
</ul>
<tr>
<td><a href="https://tools.ietf.org/html/draft-miller-ssh-agent-04"
>draft-miller-ssh-agent-04</a>
<td>
<td>ssh-agent protocol (<code>auth-agent@openssh.com</code>)
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.certkeys?annotate=HEAD"
>PROTOCOL.certkeys</a>
<td>
<td><code>ssh-rsa-cert-v01@openssh.com</code>,
<code>ssh-dsa-cert-v01@openssh.com</code>,
<code>ecdsa-sha2-nistp256-cert-v01@openssh.com</code>,
<code>ecdsa-sha2-nistp384-cert-v01@openssh.com</code>,
<code>ecdsa-sha2-nistp521-cert-v01@openssh.com</code>,
<code>ssh-ed25519-cert-v01@openssh.com</code>,
<code>rsa-sha2-256-cert-v01@openssh.com</code>,
<code>rsa-sha2-512-cert-v01@openssh.com</code> : new public
key algorithms supporting certificates.
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.chacha20poly1305?annotate=HEAD"
>PROTOCOL.chacha20poly1305</a>
<td>
<td><code>chacha20-poly1305@openssh.com</code> authenticated encryption mode.
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.key?annotate=HEAD"
>PROTOCOL.key</a>
<td>
<td>OpenSSH private key format (<code>openssh-key-v1</code>).
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.krl?annotate=HEAD"
>PROTOCOL.krl</a>
<td>
<td>Key Revocation Lists for OpenSSH keys and certificates.
<tr>
<td><a
href="https://cvsweb.openbsd.org/src/usr.bin/ssh/PROTOCOL.mux?annotate=HEAD"
>PROTOCOL.mux</a>
<td>
<td>Multiplexing protocol used by ssh(1) ControlMaster connection-sharing.
<tr>
<td><a href="https://tools.ietf.org/html/draft-miller-secsh-umac-01"
>draft-miller-secsh-umac-01</a>
<td>
<td>Use of UMAC in SSH (<code>umac-64@openssh.com</code>,
<code>umac-128@openssh.com</code>)
<tr>
<td><a href="https://tools.ietf.org/html/draft-miller-secsh-compression-delayed-00"
>draft-miller-secsh-compression-delayed-00</a>
<td>
<td>Delayed compression until after authentication
(<code>zlib@openssh.com</code>)
<tr>
<td><a
href="https://git.libssh.org/projects/libssh.git/tree/doc/curve25519-sha256@libssh.org.txt"
>curve25519-sha256@libssh.org</a>
<td>
<td><code>curve25519-sha256@libssh.org</code> key exchange method. This is
identical to <code>curve25519-sha256</code> as later published in
<a href=https://tools.ietf.org/html/rfc8731>RFC8731</a>.
<tr>
<td><a href="https://tools.ietf.org/html/draft-kampanakis-curdle-pq-ssh-00"
>draft-kampanakis-curdle-pq-ssh-00</a>
<td><a href=releasenotes.html#8.0>8.0</a
>-<a href=releasenotes.html#8.5>8.5</a>
<td>Post-quantum public key algorithms
(<code>sntrup4591761x25519-sha512@tinyssh.org</code>)
</table>
<h3>Other specifications</h3>
<table>
<tr>
<th>Specification
<th>Description
<tr>
<td><a href="txt/socks4.protocol">socks4.protocol</a>
<td>SOCKS protocol version 4. Used for <code>ssh(1) DynamicForward</code>.
<tr>
<td><a href="txt/socks4a.protocol">socks4a.protocol</a>
<td>SOCKS protocol version 4a. Used for <code>ssh(1) DynamicForward</code>.
<tr>
<td><a href=https://tools.ietf.org/html/rfc1928>RFC1928</a>
<td>SOCKS protocol version 5. Used for <code>ssh(1) DynamicForward</code>.
<tr>
<td><a href=https://tools.ietf.org/html/rfc1349>RFC1349</a>
<a href=https://tools.ietf.org/html/rfc8325>RFC8325</a>
<td>IP Type of Service (ToS) and Differentiated Services.
OpenSSH will automatically set the IP Type of Service according to
RFC8325 unless otherwise specified via the <code>IPQoS</code>
keyword in <a href= "https://man.openbsd.org/ssh_config"
>ssh_config</a> and <a href=
"https://man.openbsd.org/sshd_config"
>sshd_config</a>.
Versions 7.7 and earlier will set it per rfc1349
unless otherwise specified.
</table>
![[BACK]](/icons/back.gif){kind=icon}
Return to specs.html CVS log ![[TXT]](/icons/text.gif){kind=icon}
![[DIR]](/icons/dir.gif){kind=icon}
Up to [local] / www / openssh