Changeset View
Changeset View
Standalone View
Standalone View
PROTOCOL
Show First 20 Lines • Show All 134 Lines • ▼ Show 20 Lines | |||||
As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does | As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does | ||||
remain open after a "eow@openssh.com" has been sent and more data may | remain open after a "eow@openssh.com" has been sent and more data may | ||||
still be sent in the other direction. This message does not consume | still be sent in the other direction. This message does not consume | ||||
window space and may be sent even if no window space is available. | window space and may be sent even if no window space is available. | ||||
NB. due to certain broken SSH implementations aborting upon receipt | NB. due to certain broken SSH implementations aborting upon receipt | ||||
of this message (in contravention of RFC4254 section 5.4), this | of this message (in contravention of RFC4254 section 5.4), this | ||||
message is only sent to OpenSSH peers (identified by banner). | message is only sent to OpenSSH peers (identified by banner). | ||||
Other SSH implementations may be whitelisted to receive this message | Other SSH implementations may be listed to receive this message | ||||
upon request. | upon request. | ||||
2.2. connection: disallow additional sessions extension | 2.2. connection: disallow additional sessions extension | ||||
"no-more-sessions@openssh.com" | "no-more-sessions@openssh.com" | ||||
Most SSH connections will only ever request a single session, but a | Most SSH connections will only ever request a single session, but a | ||||
attacker may abuse a running ssh client to surreptitiously open | attacker may abuse a running ssh client to surreptitiously open | ||||
additional sessions under their control. OpenSSH provides a global | additional sessions under their control. OpenSSH provides a global | ||||
Show All 12 Lines | |||||
connection. | connection. | ||||
Note that this is not a general defence against compromised clients | Note that this is not a general defence against compromised clients | ||||
(that is impossible), but it thwarts a simple attack. | (that is impossible), but it thwarts a simple attack. | ||||
NB. due to certain broken SSH implementations aborting upon receipt | NB. due to certain broken SSH implementations aborting upon receipt | ||||
of this message, the no-more-sessions request is only sent to OpenSSH | of this message, the no-more-sessions request is only sent to OpenSSH | ||||
servers (identified by banner). Other SSH implementations may be | servers (identified by banner). Other SSH implementations may be | ||||
whitelisted to receive this message upon request. | listed to receive this message upon request. | ||||
2.3. connection: Tunnel forward extension "tun@openssh.com" | 2.3. connection: Tunnel forward extension "tun@openssh.com" | ||||
OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" | OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" | ||||
channel type. This channel type supports forwarding of network packets | channel type. This channel type supports forwarding of network packets | ||||
with datagram boundaries intact between endpoints equipped with | with datagram boundaries intact between endpoints equipped with | ||||
interfaces like the BSD tun(4) device. Tunnel forwarding channels are | interfaces like the BSD tun(4) device. Tunnel forwarding channels are | ||||
requested by the client with the following packet: | requested by the client with the following packet: | ||||
byte SSH_MSG_CHANNEL_OPEN | byte SSH_MSG_CHANNEL_OPEN | ||||
string "tun@openssh.com" | string "tun@openssh.com" | ||||
uint32 sender channel | uint32 sender channel | ||||
uint32 initial window size | uint32 initial window size | ||||
uint32 maximum packet size | uint32 maximum packet size | ||||
uint32 tunnel mode | uint32 tunnel mode | ||||
uint32 remote unit number | uint32 remote unit number | ||||
The "tunnel mode" parameter specifies whether the tunnel should forward | The "tunnel mode" parameter specifies whether the tunnel should forward | ||||
layer 2 frames or layer 3 packets. It may take one of the following values: | layer 2 frames or layer 3 packets. It may take one of the following values: | ||||
SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ | SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ | ||||
SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ | SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ | ||||
The "tunnel unit number" specifies the remote interface number, or may | The "tunnel unit number" specifies the remote interface number, or may | ||||
be 0x7fffffff to allow the server to automatically chose an interface. A | be 0x7fffffff to allow the server to automatically choose an interface. A | ||||
server that is not willing to open a client-specified unit should refuse | server that is not willing to open a client-specified unit should refuse | ||||
the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful | the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful | ||||
open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. | open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. | ||||
Once established the client and server may exchange packet or frames | Once established the client and server may exchange packet or frames | ||||
over the tunnel channel by encapsulating them in SSH protocol strings | over the tunnel channel by encapsulating them in SSH protocol strings | ||||
and sending them as channel data. This ensures that packet boundaries | and sending them as channel data. This ensures that packet boundaries | ||||
are kept intact. Specifically, packets are transmitted using normal | are kept intact. Specifically, packets are transmitted using normal | ||||
▲ Show 20 Lines • Show All 87 Lines • ▼ Show 20 Lines | has completed. | ||||
byte SSH_MSG_GLOBAL_REQUEST | byte SSH_MSG_GLOBAL_REQUEST | ||||
string "hostkeys-00@openssh.com" | string "hostkeys-00@openssh.com" | ||||
string[] hostkeys | string[] hostkeys | ||||
Upon receiving this message, a client should check which of the | Upon receiving this message, a client should check which of the | ||||
supplied host keys are present in known_hosts. | supplied host keys are present in known_hosts. | ||||
Note that the server may send key types that the client does not | Note that the server may send key types that the client does not | ||||
support. The client should disgregard such keys if they are received. | support. The client should disregard such keys if they are received. | ||||
If the client identifies any keys that are not present for the host, | If the client identifies any keys that are not present for the host, | ||||
it should send a "hostkeys-prove@openssh.com" message to request the | it should send a "hostkeys-prove@openssh.com" message to request the | ||||
server prove ownership of the private half of the key. | server prove ownership of the private half of the key. | ||||
byte SSH_MSG_GLOBAL_REQUEST | byte SSH_MSG_GLOBAL_REQUEST | ||||
string "hostkeys-prove-00@openssh.com" | string "hostkeys-prove-00@openssh.com" | ||||
char 1 /* want-reply */ | char 1 /* want-reply */ | ||||
▲ Show 20 Lines • Show All 181 Lines • ▼ Show 20 Lines | |||||
format is described in the PROTOCOL.krl file. | format is described in the PROTOCOL.krl file. | ||||
4.4 Connection multiplexing | 4.4 Connection multiplexing | ||||
OpenSSH's connection multiplexing uses messages as described in | OpenSSH's connection multiplexing uses messages as described in | ||||
PROTOCOL.mux over a Unix domain socket for communications between a | PROTOCOL.mux over a Unix domain socket for communications between a | ||||
master instance and later clients. | master instance and later clients. | ||||
$OpenBSD: PROTOCOL,v 1.36 2018/10/02 12:51:58 djm Exp $ | $OpenBSD: PROTOCOL,v 1.38 2020/07/05 23:59:45 djm Exp $ |