jcs.org / openbsd-src
jcs's openbsd hax
openbsd
fork atom
openbsd-src / usr.bin / ssh / PROTOCOL
at jcs 721 lines 25 kB view raw
dtucker Use https for URLs.
332de534
1This documents OpenSSH's deviations and extensions to the published SSH 2protocol. 3 4Note that OpenSSH's sftp and sftp-server implement revision 3 of the SSH 5filexfer protocol described in: 6 7https://www.openssh.com/txt/draft-ietf-secsh-filexfer-02.txt 8 9Newer versions of the draft will not be supported, though some features 10are individually implemented as extensions described below. 11 12The protocol used by OpenSSH's ssh-agent is described in the file 13PROTOCOL.agent 14 151. Transport protocol changes 16 171.1. transport: Protocol 2 MAC algorithm "umac-64@openssh.com" 18 19This is a new transport-layer MAC method using the UMAC algorithm 20(rfc4418). This method is identical to the "umac-64" method documented 21in: 22 23https://www.openssh.com/txt/draft-miller-secsh-umac-01.txt 24 251.2. transport: Protocol 2 compression algorithm "zlib@openssh.com" 26 27This transport-layer compression method uses the zlib compression 28algorithm (identical to the "zlib" method in rfc4253), but delays the 29start of compression until after authentication has completed. This 30avoids exposing compression code to attacks from unauthenticated users. 31 32The method is documented in: 33 34https://www.openssh.com/txt/draft-miller-secsh-compression-delayed-00.txt 35 361.3. transport: Certificate key algorithms 37 38OpenSSH introduces new public key algorithms to support certificate 39authentication for users and host keys. These methods are documented 40in at https://datatracker.ietf.org/doc/draft-miller-ssh-cert/ 41 421.4. transport: Elliptic Curve cryptography 43 44OpenSSH supports ECC key exchange and public key authentication as 45specified in RFC5656. Only the ecdsa-sha2-nistp256, ecdsa-sha2-nistp384 46and ecdsa-sha2-nistp521 curves over GF(p) are supported. Elliptic 47curve points encoded using point compression are NOT accepted or 48generated. 49 501.5 transport: Protocol 2 Encrypt-then-MAC MAC algorithms 51 52OpenSSH supports MAC algorithms, whose names contain "-etm", that 53perform the calculations in a different order to that defined in RFC 544253. These variants use the so-called "encrypt then MAC" ordering, 55calculating the MAC over the packet ciphertext rather than the 56plaintext. This ordering closes a security flaw in the SSH transport 57protocol, where decryption of unauthenticated ciphertext provided a 58"decryption oracle" that could, in conjunction with cipher flaws, reveal 59session plaintext. 60 61Specifically, the "-etm" MAC algorithms modify the transport protocol 62to calculate the MAC over the packet ciphertext and to send the packet 63length unencrypted. This is necessary for the transport to obtain the 64length of the packet and location of the MAC tag so that it may be 65verified without decrypting unauthenticated data. 66 67As such, the MAC covers: 68 69 mac = MAC(key, sequence_number || packet_length || encrypted_packet) 70 71where "packet_length" is encoded as a uint32 and "encrypted_packet" 72contains: 73 74 byte padding_length 75 byte[n1] payload; n1 = packet_length - padding_length - 1 76 byte[n2] random padding; n2 = padding_length 77 781.6 transport: AES-GCM 79 80OpenSSH supports the AES-GCM algorithm as specified in RFC 5647. 81Because of problems with the design of the algorithm negotiation in this 82RFC, OpenSSH (and other SSH implementations) use different rules as 83described in: 84 85https://datatracker.ietf.org/doc/draft-miller-sshm-aes-gcm/ 86 871.7 transport: chacha20-poly1305@openssh.com authenticated encryption 88 89OpenSSH supports authenticated encryption using ChaCha20 and Poly1305 90as described in: 91 92https://datatracker.ietf.org/doc/draft-ietf-sshm-chacha20-poly1305/ 93 941.8 transport: ping facility 95 96OpenSSH implements a transport level ping message SSH2_MSG_PING 97and a corresponding SSH2_MSG_PONG reply. 98 99#define SSH2_MSG_PING 192 100#define SSH2_MSG_PONG 193 101 102The ping message is simply: 103 104 byte SSH_MSG_PING 105 string data 106 107The reply copies the data (which may be the empty string) from the 108ping: 109 110 byte SSH_MSG_PONG 111 string data 112 113Replies are sent in order. They are sent immediately except when rekeying 114is in progress, in which case they are queued until rekeying completes. 115 116The server advertises support for these messages using the 117SSH2_MSG_EXT_INFO mechanism (RFC8308), with the following message: 118 119 string "ping@openssh.com" 120 string "0" (version) 121 122The ping/reply message is implemented at the transport layer rather 123than as a named global or channel request to allow pings with very 124short packet lengths, which would not be possible with other 125approaches. 126 1271.9 transport: strict key exchange extension 128 129OpenSSH supports a number of transport-layer hardening measures 130designed to thwart the so-called "Terrapin" attack against the 131early SSH protocol. These are collectively referred to as 132"strict KEX" and documented in an Internet-Draft: 133 134https://datatracker.ietf.org/doc/draft-miller-sshm-strict-kex/ 135 1361.10 transport: SSH2_MSG_EXT_INFO during user authentication 137 138This protocol extension allows the SSH2_MSG_EXT_INFO to be sent 139during user authentication. RFC8308 does allow a second 140SSH2_MSG_EXT_INFO notification, but it may only be sent at the end 141of user authentication and this is too late to signal per-user 142server signature algorithms. 143 144Support for receiving the SSH2_MSG_EXT_INFO message during user 145authentication is signalled by the client including a 146"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO 147set after the SSH2_MSG_NEWKEYS message. 148 149A server that supports this extension MAY send a second 150SSH2_MSG_EXT_INFO message any time after the client's first 151SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails. 152The client SHOULD be prepared to update the server-sig-algs that 153it received during an earlier SSH2_MSG_EXT_INFO with the later one. 154 1552. Connection protocol changes 156 1572.1. connection: Channel write close extension "eow@openssh.com" 158 159The SSH connection protocol (rfc4254) provides the SSH_MSG_CHANNEL_EOF 160message to allow an endpoint to signal its peer that it will send no 161more data over a channel. Unfortunately, there is no symmetric way for 162an endpoint to request that its peer should cease sending data to it 163while still keeping the channel open for the endpoint to send data to 164the peer. 165 166This is desirable, since it saves the transmission of data that would 167otherwise need to be discarded and it allows an endpoint to signal local 168processes of the condition, e.g. by closing the corresponding file 169descriptor. 170 171OpenSSH implements a channel extension message to perform this 172signalling: "eow@openssh.com" (End Of Write). This message is sent by 173an endpoint when the local output of a session channel is closed or 174experiences a write error. The message is formatted as follows: 175 176 byte SSH_MSG_CHANNEL_REQUEST 177 uint32 recipient channel 178 string "eow@openssh.com" 179 boolean FALSE 180 181On receiving this message, the peer SHOULD cease sending data of 182the channel and MAY signal the process from which the channel data 183originates (e.g. by closing its read file descriptor). 184 185As with the symmetric SSH_MSG_CHANNEL_EOF message, the channel does 186remain open after a "eow@openssh.com" has been sent and more data may 187still be sent in the other direction. This message does not consume 188window space and may be sent even if no window space is available. 189 190NB. due to certain broken SSH implementations aborting upon receipt 191of this message (in contravention of RFC4254 section 5.4), this 192message is only sent to OpenSSH peers (identified by banner). 193Other SSH implementations may be listed to receive this message 194upon request. 195 1962.2. connection: disallow additional sessions extension 197 "no-more-sessions@openssh.com" 198 199Most SSH connections will only ever request a single session, but a 200attacker may abuse a running ssh client to surreptitiously open 201additional sessions under their control. OpenSSH provides a global 202request "no-more-sessions@openssh.com" to mitigate this attack. 203 204When an OpenSSH client expects that it will never open another session 205(i.e. it has been started with connection multiplexing disabled), it 206will send the following global request: 207 208 byte SSH_MSG_GLOBAL_REQUEST 209 string "no-more-sessions@openssh.com" 210 char want-reply 211 212On receipt of such a message, an OpenSSH server will refuse to open 213future channels of type "session" and instead immediately abort the 214connection. 215 216Note that this is not a general defence against compromised clients 217(that is impossible), but it thwarts a simple attack. 218 219NB. due to certain broken SSH implementations aborting upon receipt 220of this message, the no-more-sessions request is only sent to OpenSSH 221servers (identified by banner). Other SSH implementations may be 222listed to receive this message upon request. 223 2242.3. connection: Tunnel forward extension "tun@openssh.com" 225 226OpenSSH supports layer 2 and layer 3 tunnelling via the "tun@openssh.com" 227channel type. This channel type supports forwarding of network packets 228with datagram boundaries intact between endpoints equipped with 229interfaces like the BSD tun(4) device. Tunnel forwarding channels are 230requested by the client with the following packet: 231 232 byte SSH_MSG_CHANNEL_OPEN 233 string "tun@openssh.com" 234 uint32 sender channel 235 uint32 initial window size 236 uint32 maximum packet size 237 uint32 tunnel mode 238 uint32 remote unit number 239 240The "tunnel mode" parameter specifies whether the tunnel should forward 241layer 2 frames or layer 3 packets. It may take one of the following values: 242 243 SSH_TUNMODE_POINTOPOINT 1 /* layer 3 packets */ 244 SSH_TUNMODE_ETHERNET 2 /* layer 2 frames */ 245 246The "tunnel unit number" specifies the remote interface number, or may 247be 0x7fffffff to allow the server to automatically choose an interface. A 248server that is not willing to open a client-specified unit should refuse 249the request with a SSH_MSG_CHANNEL_OPEN_FAILURE error. On successful 250open, the server should reply with SSH_MSG_CHANNEL_OPEN_SUCCESS. 251 252Once established the client and server may exchange packet or frames 253over the tunnel channel by encapsulating them in SSH protocol strings 254and sending them as channel data. This ensures that packet boundaries 255are kept intact. Specifically, packets are transmitted using normal 256SSH_MSG_CHANNEL_DATA packets: 257 258 byte SSH_MSG_CHANNEL_DATA 259 uint32 recipient channel 260 string data 261 262The contents of the "data" field for layer 3 packets is: 263 264 uint32 packet length 265 uint32 address family 266 byte[packet length - 4] packet data 267 268The "address family" field identifies the type of packet in the message. 269It may be one of: 270 271 SSH_TUN_AF_INET 2 /* IPv4 */ 272 SSH_TUN_AF_INET6 24 /* IPv6 */ 273 274The "packet data" field consists of the IPv4/IPv6 datagram itself 275without any link layer header. 276 277The contents of the "data" field for layer 2 packets is: 278 279 uint32 packet length 280 byte[packet length] frame 281 282The "frame" field contains an IEEE 802.3 Ethernet frame, including 283header. 284 2852.4. connection: Unix domain socket forwarding 286 287OpenSSH supports local and remote Unix domain socket forwarding 288using the "streamlocal" extension. Forwarding is initiated as per 289TCP sockets but with a single path instead of a host and port. 290 291Similar to direct-tcpip, direct-streamlocal is sent by the client 292to request that the server make a connection to a Unix domain socket. 293 294 byte SSH_MSG_CHANNEL_OPEN 295 string "direct-streamlocal@openssh.com" 296 uint32 sender channel 297 uint32 initial window size 298 uint32 maximum packet size 299 string socket path 300 string reserved 301 uint32 reserved 302 303Similar to forwarded-tcpip, forwarded-streamlocal is sent by the 304server when the client has previously send the server a streamlocal-forward 305GLOBAL_REQUEST. 306 307 byte SSH_MSG_CHANNEL_OPEN 308 string "forwarded-streamlocal@openssh.com" 309 uint32 sender channel 310 uint32 initial window size 311 uint32 maximum packet size 312 string socket path 313 string reserved for future use 314 315The reserved field is not currently defined and is ignored on the 316remote end. It is intended to be used in the future to pass 317information about the socket file, such as ownership and mode. 318The client currently sends the empty string for this field. 319 320Similar to tcpip-forward, streamlocal-forward is sent by the client 321to request remote forwarding of a Unix domain socket. 322 323 byte SSH2_MSG_GLOBAL_REQUEST 324 string "streamlocal-forward@openssh.com" 325 boolean TRUE 326 string socket path 327 328Similar to cancel-tcpip-forward, cancel-streamlocal-forward is sent 329by the client cancel the forwarding of a Unix domain socket. 330 331 byte SSH2_MSG_GLOBAL_REQUEST 332 string "cancel-streamlocal-forward@openssh.com" 333 boolean FALSE 334 string socket path 335 3362.5. connection: hostkey update and rotation "hostkeys-00@openssh.com" 337and "hostkeys-prove-00@openssh.com" 338 339OpenSSH supports a protocol extension allowing a server to inform 340a client of all its protocol v.2 host keys after user-authentication 341has completed. This is documented in an Internet-Draft 342 343https://datatracker.ietf.org/doc/draft-miller-sshm-hostkey-update/ 344 3452.6. connection: SIGINFO support for "signal" channel request 346 347The SSH channels protocol (RFC4254 section 6.9) supports sending a 348signal to a session attached to a channel. OpenSSH supports one 349extension signal "INFO@openssh.com" that allows sending SIGINFO on 350BSD-derived systems. 351 3523. Authentication protocol changes 353 3543.1. Host-bound public key authentication 355 356This is trivial change to the traditional "publickey" authentication 357method. The authentication request is identical to the original method 358but for the name and one additional field: 359 360 byte SSH2_MSG_USERAUTH_REQUEST 361 string username 362 string "ssh-connection" 363 string "publickey-hostbound-v00@openssh.com" 364 bool has_signature 365 string pkalg 366 string public key 367 string server host key 368 369Because the entire SSH2_MSG_USERAUTH_REQUEST message is included in 370the signed data, this ensures that a binding between the destination 371user, the server identity and the session identifier is visible to the 372signer. OpenSSH uses this binding via signed data to implement per-key 373restrictions in ssh-agent. 374 375A server may advertise this method using the SSH2_MSG_EXT_INFO 376mechanism (RFC8308), with the following message: 377 378 string "publickey-hostbound@openssh.com" 379 string "0" (version) 380 381Clients should prefer host-bound authentication when advertised by 382server. 383 3844. SFTP protocol changes 385 3864.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK 387 388When OpenSSH's sftp-server was implemented, the order of the arguments 389to the SSH_FXP_SYMLINK method was inadvertently reversed. Unfortunately, 390the reversal was not noticed until the server was widely deployed. Since 391fixing this to follow the specification would cause incompatibility, the 392current order was retained. For correct operation, clients should send 393SSH_FXP_SYMLINK as follows: 394 395 uint32 id 396 string targetpath 397 string linkpath 398 3994.2. sftp: Server extension announcement in SSH_FXP_VERSION 400 401OpenSSH's sftp-server lists the extensions it supports using the 402standard extension announcement mechanism in the SSH_FXP_VERSION server 403hello packet: 404 405 uint32 3 /* protocol version */ 406 string ext1-name 407 string ext1-version 408 string ext2-name 409 string ext2-version 410 ... 411 string extN-name 412 string extN-version 413 414Each extension reports its integer version number as an ASCII encoded 415string, e.g. "1". The version will be incremented if the extension is 416ever changed in an incompatible way. The server MAY advertise the same 417extension with multiple versions (though this is unlikely). Clients MUST 418check the version number before attempting to use the extension. 419 4204.3. sftp: Extension request "posix-rename@openssh.com" 421 422This operation provides a rename operation with POSIX semantics, which 423are different to those provided by the standard SSH_FXP_RENAME in 424draft-ietf-secsh-filexfer-02.txt. This request is implemented as a 425SSH_FXP_EXTENDED request with the following format: 426 427 uint32 id 428 string "posix-rename@openssh.com" 429 string oldpath 430 string newpath 431 432On receiving this request the server will perform the POSIX operation 433rename(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 434This extension is advertised in the SSH_FXP_VERSION hello with version 435"1". 436 4374.4. sftp: Extension requests "statvfs@openssh.com" and 438 "fstatvfs@openssh.com" 439 440These requests correspond to the statvfs and fstatvfs POSIX system 441interfaces. The "statvfs@openssh.com" request operates on an explicit 442pathname, and is formatted as follows: 443 444 uint32 id 445 string "statvfs@openssh.com" 446 string path 447 448The "fstatvfs@openssh.com" operates on an open file handle: 449 450 uint32 id 451 string "fstatvfs@openssh.com" 452 string handle 453 454These requests return a SSH_FXP_STATUS reply on failure. On success they 455return the following SSH_FXP_EXTENDED_REPLY reply: 456 457 uint32 id 458 uint64 f_bsize /* file system block size */ 459 uint64 f_frsize /* fundamental fs block size */ 460 uint64 f_blocks /* number of blocks (unit f_frsize) */ 461 uint64 f_bfree /* free blocks in file system */ 462 uint64 f_bavail /* free blocks for non-root */ 463 uint64 f_files /* total file inodes */ 464 uint64 f_ffree /* free file inodes */ 465 uint64 f_favail /* free file inodes for to non-root */ 466 uint64 f_fsid /* file system id */ 467 uint64 f_flag /* bit mask of f_flag values */ 468 uint64 f_namemax /* maximum filename length */ 469 470The values of the f_flag bitmask are as follows: 471 472 #define SSH_FXE_STATVFS_ST_RDONLY 0x1 /* read-only */ 473 #define SSH_FXE_STATVFS_ST_NOSUID 0x2 /* no setuid */ 474 475Both the "statvfs@openssh.com" and "fstatvfs@openssh.com" extensions are 476advertised in the SSH_FXP_VERSION hello with version "2". 477 4784.5. sftp: Extension request "hardlink@openssh.com" 479 480This request is for creating a hard link to a regular file. This 481request is implemented as a SSH_FXP_EXTENDED request with the 482following format: 483 484 uint32 id 485 string "hardlink@openssh.com" 486 string oldpath 487 string newpath 488 489On receiving this request the server will perform the operation 490link(oldpath, newpath) and will respond with a SSH_FXP_STATUS message. 491This extension is advertised in the SSH_FXP_VERSION hello with version 492"1". 493 4944.6. sftp: Extension request "fsync@openssh.com" 495 496This request asks the server to call fsync(2) on an open file handle. 497 498 uint32 id 499 string "fsync@openssh.com" 500 string handle 501 502On receiving this request, a server will call fsync(handle_fd) and will 503respond with a SSH_FXP_STATUS message. 504 505This extension is advertised in the SSH_FXP_VERSION hello with version 506"1". 507 5084.7. sftp: Extension request "lsetstat@openssh.com" 509 510This request is like the "setstat" command, but sets file attributes on 511symlinks. It is implemented as a SSH_FXP_EXTENDED request with the 512following format: 513 514 uint32 id 515 string "lsetstat@openssh.com" 516 string path 517 ATTRS attrs 518 519See the "setstat" command for more details. 520 521This extension is advertised in the SSH_FXP_VERSION hello with version 522"1". 523 5244.8. sftp: Extension request "limits@openssh.com" 525 526This request is used to determine various limits the server might impose. 527Clients should not attempt to exceed these limits as the server might sever 528the connection immediately. 529 530 uint32 id 531 string "limits@openssh.com" 532 533The server will respond with a SSH_FXP_EXTENDED_REPLY reply: 534 535 uint32 id 536 uint64 max-packet-length 537 uint64 max-read-length 538 uint64 max-write-length 539 uint64 max-open-handles 540 541The 'max-packet-length' applies to the total number of bytes in a 542single SFTP packet. Servers SHOULD set this at least to 34000. 543 544The 'max-read-length' is the largest length in a SSH_FXP_READ packet. 545Even if the client requests a larger size, servers will usually respond 546with a shorter SSH_FXP_DATA packet. Servers SHOULD set this at least to 54732768. 548 549The 'max-write-length' is the largest length in a SSH_FXP_WRITE packet 550the server will accept. Servers SHOULD set this at least to 32768. 551 552The 'max-open-handles' is the maximum number of active handles that the 553server allows (e.g. handles created by SSH_FXP_OPEN and SSH_FXP_OPENDIR 554packets). Servers MAY count internal file handles against this limit 555(e.g. system logging or stdout/stderr), so clients SHOULD NOT expect to 556open this many handles in practice. 557 558If the server doesn't enforce a specific limit, then the field may be 559set to 0. This implies the server relies on the OS to enforce limits 560(e.g. available memory or file handles), and such limits might be 561dynamic. The client SHOULD take care to not try to exceed reasonable 562limits. 563 564This extension is advertised in the SSH_FXP_VERSION hello with version 565"1". 566 5674.9. sftp: Extension request "expand-path@openssh.com" 568 569This request supports canonicalisation of relative paths and 570those that need tilde-expansion, i.e. "~", "~/..." and "~user/..." 571These paths are expanded using shell-like rules and the resultant 572path is canonicalised similarly to SSH2_FXP_REALPATH. 573 574It is implemented as a SSH_FXP_EXTENDED request with the following 575format: 576 577 uint32 id 578 string "expand-path@openssh.com" 579 string path 580 581Its reply is the same format as that of SSH2_FXP_REALPATH. 582 583This extension is advertised in the SSH_FXP_VERSION hello with version 584"1". 585 5864.10. sftp: Extension request "copy-data" 587 588This request asks the server to copy data from one open file handle and 589write it to a different open file handle. This avoids needing to transfer 590the data across the network twice (a download followed by an upload). 591 592 byte SSH_FXP_EXTENDED 593 uint32 id 594 string "copy-data" 595 string read-from-handle 596 uint64 read-from-offset 597 uint64 read-data-length 598 string write-to-handle 599 uint64 write-to-offset 600 601The server will copy read-data-length bytes starting from 602read-from-offset from the read-from-handle and write them to 603write-to-handle starting from write-to-offset, and then respond with a 604SSH_FXP_STATUS message. 605 606It's equivalent to issuing a series of SSH_FXP_READ requests on 607read-from-handle and a series of requests of SSH_FXP_WRITE on 608write-to-handle. 609 610If read-from-handle and write-to-handle are the same, the server will 611fail the request and respond with a SSH_FX_INVALID_PARAMETER message. 612 613If read-data-length is 0, then the server will read data from the 614read-from-handle until EOF is reached. 615 616This extension is advertised in the SSH_FXP_VERSION hello with version 617"1". 618 619This request is identical to the "copy-data" request documented in: 620 621https://tools.ietf.org/html/draft-ietf-secsh-filexfer-extensions-00#section-7 622 6234.11. sftp: Extension request "home-directory" 624 625This request asks the server to expand the specified user's home directory. 626An empty username implies the current user. This can be used by the client 627to expand ~/ type paths locally. 628 629 byte SSH_FXP_EXTENDED 630 uint32 id 631 string "home-directory" 632 string username 633 634This extension is advertised in the SSH_FXP_VERSION hello with version 635"1". 636 637This provides similar information as the "expand-path@openssh.com" extension. 638 639This request is identical to the "home-directory" request documented in: 640 641https://datatracker.ietf.org/doc/html/draft-ietf-secsh-filexfer-extensions-00#section-5 642 6434.12. sftp: Extension request "users-groups-by-id@openssh.com" 644 645This request asks the server to return user and/or group names that 646correspond to one or more IDs (e.g. as returned from a SSH_FXP_STAT 647request). This may be used by the client to provide usernames in 648directory listings. 649 650 byte SSH_FXP_EXTENDED 651 uint32 id 652 string "users-groups-by-id@openssh.com" 653 string uids 654 string gids 655 656Where "uids" and "gids" consists of one or more integer user or group 657identifiers: 658 659 uint32 id-0 660 ... 661 662The server will reply with a SSH_FXP_EXTENDED_REPLY: 663 664 byte SSH_FXP_EXTENDED_REPLY 665 uint32 id 666 string usernames 667 string groupnames 668 669Where "username" and "groupnames" consists of names in identical request 670order to "uids" and "gids" respectively: 671 672 string name-0 673 ... 674 675If a name cannot be identified for a given user or group ID, an empty 676string will be returned in its place. 677 678It is acceptable for either "uids" or "gids" to be an empty set, in 679which case the respective "usernames" or "groupnames" list will also 680be empty. 681 682This extension is advertised in the SSH_FXP_VERSION hello with version 683"1". 684 6855. Miscellaneous changes 686 6875.1 Public key format 688 689OpenSSH public keys, as generated by ssh-keygen(1) and appearing in 690authorized_keys files, are formatted as a single line of text consisting 691of the public key algorithm name followed by a base64-encoded key blob. 692The public key blob (before base64 encoding) is the same format used for 693the encoding of public keys sent on the wire: as described in RFC4253 694section 6.6 for RSA keys, RFC5656 section 3.1 for ECDSA keys and 695https://datatracker.ietf.org/doc/draft-miller-ssh-cert/ 696for the OpenSSH certificate formats. 697 6985.2 Private key format 699 700OpenSSH private keys, as generated by ssh-keygen(1) use the format 701described in PROTOCOL.key by default. As a legacy option, PEM format 702(RFC7468) private keys are also supported for RSA and ECDSA keys 703and were the default format before OpenSSH 7.8. 704 7055.3 KRL format 706 707OpenSSH supports a compact format for Key Revocation Lists (KRLs). This 708format is described in the PROTOCOL.krl file. 709 7105.4 Connection multiplexing 711 712OpenSSH's connection multiplexing uses messages as described in 713PROTOCOL.mux over a Unix domain socket for communications between a 714master instance and later clients. 715 7165.5. Agent protocol extensions 717 718OpenSSH extends the usual agent protocol. These changes are documented 719in the PROTOCOL.agent file. 720 721$OpenBSD: PROTOCOL,v 1.60 2026/02/09 22:09:48 dtucker Exp $