Network Working Group | T. Ylonen |
Internet-Draft | T. Kivinen |
Expires: March 21, 2003 | SSH Communications Security Corp |
M. Saarinen | |
University of Jyvaskyla | |
T. Rinne | |
S. Lehtinen | |
SSH Communications Security Corp | |
September 20, 2002 |
draft-ietf-secsh-connect-16.txt
SSH_MSG_REQUEST_SUCCESS
orSSH_MSG_REQUEST_FAILURE
if `want reply'
isTRUE
.SSH_MSG_REQUEST_FAILURE
.`senderchannel'
is a local identifier for the channel used by the senderof this message. `initial window size'
specifies how manybytes of channel data can be sent to the sender of this message withoutadjusting the window. `Maximum packet size'
specifies themaximum size of an individual data packet that can be sent to the sender(for example, one might want to use smaller packets for interactiveconnections to get better interactive response on slow links).`recipient channel'
is the channel number given inthe original open request, and `sender channel'
is thechannel number allocated by the other side, orSSH_MSG_CHANNEL_OPEN
messagedoes not support the specified channel type, it simply responds withSSH_MSG_CHANNEL_OPEN_FAILURE
. The client MAY show theadditional information to the user. If this is done, the clientsoftware should take the precautions discussed in [SSH-ARCH].SSH_MSG_CHANNEL_EXTENDED_DATA
messages,where a separate integer specifies the type of the data. The availabletypes and their interpretation depend on the type of the channel.SSH_MSG_CHANNEL_EOF
.SSH_MSG_CHANNEL_CLOSE
. Upon receiving this message, aparty MUST send back a SSH_MSG_CHANNEL_CLOSE
unless it hasalready sent this message for the channel. The channel is consideredclosed for a party when it has both sent and receivedSSH_MSG_CHANNEL_CLOSE
, and the party may then reuse thechannel number. A party MAY send SSH_MSG_CHANNEL_CLOSE
without having sent or received SSH_MSG_CHANNEL_EOF
.want reply
is FALSE
, no response will besent to the request. Otherwise, the recipient responds with eitherSSH_MSG_CHANNEL_SUCCESS
orSSH_MSG_CHANNEL_FAILURE
, or request-specific continuationmessages. If the request is not recognized or is not supported for thechannel, SSH_MSG_CHANNEL_FAILURE
is returned.`single connection'
is TRUE
, only asingle connection should be forwarded. No more connections will beforwarded after the first, or after the session channel has beenclosed.`x11 authentication protocol'
is the name of the X11authentication method used, e.g. 'MIT-MAGIC-COOKIE-1'
.x11 authentication cookie
MUST be hexadecimalencoded.SSH_MSG_CHANNEL_OPEN_CONFIRMATION
orSSH_MSG_CHANNEL_OPEN_FAILURE
./etc/passwd
in UNIX systems) to be started at the otherend.SSH_MSG_CHANNEL_DATA
andSSH_MSG_CHANNEL_EXTENDED_DATA
packets and the windowmechanism. The extended data type SSH_EXTENDED_DATA_STDERR
has been defined for stderr data.`client can do'
is TRUE, the client is allowed to do flowcontrol using control-S and control-Q. The client MAY ignore thismessage.exit-signal
' SSH_MSG_CHANNEL_REQUEST
.SSH_MSG_CHANNEL_CLOSE
after this message.sig-name@xyz
', where `sig-name'
and`xyz'
may be anything a particular implementor wants(except the `@'
sign). However, it is suggested that if a`configure'
script is used, the non-standard signal namesit finds be encoded as '[email protected]
', where`SIG'
is the signal name without the 'SIG
'prefix, and `xyz'
be the host type, as determined by`config.guess'
.`error message'
contains an additional explanationof the error message. The message may consist of multiple lines. Theclient software MAY display this message to the user. If this is done,the client software should take the precautions discussed in [SSH-ARCH].`Address to bind'
and `port number to bind'
specify the IP address andport to which the socket to be listened is bound. The address should be'0.0.0.0' if connections are allowed from anywhere. (Note that theclient can still filter connections based on information passed in theopen request.)TRUE
then the server allocates the next availableunprivileged port number and replies with the following message,otherwise there is no response specific data.`Host to connect'
and `port to connect'
specify the TCP/IP host and port where the recipient should connect thechannel. `Host to connect' may be either a domain name or a numeric IPaddress.`Originator IP address'
is the numeric IP address of themachine where the connection request comes from, and `originatorport'
is the port on the originator host from where theconnection came from.TTY_OP_END(0)
. Opcodes 1 to 159 have a single uint32
argument. Opcodes 160 to 255 are not yet defined, and cause parsing tostop (they should only be used after any other data).0 TTY_OP_END
1 VINTR
2 VQUIT
3 VERASE
4 VKILL
5 VEOF
6 VEOL
7 VEOL2
8 VSTART
9 VSTOP
10 VSUSP
11 VDSUSP
12 VREPRINT
13 VWERASE
14 VLNEXT
15 VFLUSH
16 VSWTCH
17 VSTATUS
18 VDISCARD
30 IGNPAR
FALSE
set, and 1 if it is TRUE
.31 PARMRK
32 INPCK
33 ISTRIP
34 INLCR
35 IGNCR
36 ICRNL
37 IUCLC
38 IXON
39 IXANY
40 IXOFF
41 IMAXBEL
50 ISIG
51 ICANON
52 XCASE
53 ECHO
54 ECHOE
55 ECHOK
56 ECHONL
57 NOFLSH
58 TOSTOP
59 IEXTEN
60 ECHOCTL
61 ECHOKE
62 PENDIN
70 OPOST
71 OLCUC
72 ONLCR
73 OCRNL
74 ONOCR
75 ONLRET
90 CS7
91 CS8
92 PARENB
93 PARODD
128 TTY_OP_ISPEED
129 TTY_OP_OSPEED
/etc/ssh/sshd_config
:ssh
monitor process forks an unpriviledged child process that handles all of the requests from the client. If the client's request requires super user privileges the request is sent to the privileged monitor process. When you view the SSH processes started, you will see the sshd
daemon for the monitor process and an unprivileged process owned by the client. For further detailed information about privilege separation, see the August 2002 article by Niels Provos, Preventing Privilege Escalation.C for AIX (cc)
version 5.0 compiler. The VRMF of the installation images will closely match the open source code level, except for the 'F' (Fix level). The fix level will be increased each time a release is made that contains fixes between major open source releases. For example, if we change the 3.4p1 level of code to contain a patch from the 3.5 level of the open source code, the 'F' will be incremented (for example, 3.4.0.5201)./etc/pam.conf
will be created on the server at openssh.base.server
package installation time. (In the future, /etc/pam.conf
will be created at openssh.base.server
installation time).pam_aix
, where pam_aix
is provided by the base AIX operating system (automatically installed on AIX 5.2 in /usr/lib/security
). The pam_aix
module allows access to the AIX security services by providing access to AIX builtin functions such as the AIX pam_aix authentication()
call. The /etc/pam.conf
for OpenSSH will look like this:/etc/pam.conf
will be 644.ssh-rand-helper
), as opposed to AIX 4.3.3 (AIX Linux Toolbox) which uses the PRNGD
open source daemon (prngd-0.9.23-3.aix4.3.ppc.rpm package
). /dev/random
and /dev/urandomM
, pseudo-device driver and configuration routines that select various hardware device interrupts to provide entropy. OpenSSH in AIX 5.2 is compiled to take advantage of the new device /dev/urandom
. You will also need the latest OpenSSL version, openssl-0.9.6e-2.aix4.3.ppc.rpm
(AIX Linux Toolbox), for OpenSSH to use the /dev/urandom device
.openssh.man.en_US
.installp
format of the code:Installation package | Description |
---|---|
openssh.base | Contains the binary executable files for the client and server pieces of secure shell. There are two separate filesets, openssh.base.client and openssh.base.server . You may install the client portion only, but if you install the server portion, the client pieces automatically get installed. |
penssh.license | The IPLA non-warranted with Limited Program Services license text. This is the fileset that ensures that you read and accept the software license before installation. |
openssh.man.en_US | Man pages as shipped with the openssh.org source code. The man pages install into /usr/share/man directory and can be viewed using the man command. There are man pages for each command and the ssh_config and sshd_config configuration files. |
openssh.msg.<LANGUAGE_ABBREVIATION> | Translated message catalog file. The only .msg fileset that gets installed relates to the locale you have installed on the operating system. |
openssh.base.client
fileset and are installed in /usr/bin
:openssh.base.server
fileset and are installed in /usr/sbin
:/etc/ssh
:sshd
user, group, and /var/empty
directory needed for server execution on 3.4p1 level of code. The packaging also enables the SRC control of the daemon, generates host keys and checks for the prerequisite of OpenSSL before installing.