draft-ietf-secsh-userauth-18.2.ps

来自「OTP是开放电信平台的简称」· PS 代码 · 共 1,882 行 · 第 1/4 页

5 283 M
(   This method MUST NOT be listed as supported by the server.) s
5 261 M
(3.1.4 Completion of User Authentication) s
5 239 M
(   Authentication is complete when the server has responded with) s
5 228 M
(   SSH_MSG_USERAUTH_SUCCESS; all authentication related messages) s
5 217 M
(   received after sending this message SHOULD be silently ignored.) s
5 195 M
(   After sending SSH_MSG_USERAUTH_SUCCESS, the server starts the) s
5 184 M
(   requested service.) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 6]) s
_R
S
PStoPSsaved restore
%%Page: (6,7) 4
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 7 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(3.1.5 Banner Message) s
5 668 M
(   In some jurisdictions, sending a warning message before) s
5 657 M
(   authentication may be relevant for getting legal protection.  Many) s
5 646 M
(   UNIX machines, for example, normally display text from `/etc/issue',) s
5 635 M
(   or use "tcp wrappers" or similar software to display a banner before) s
5 624 M
(   issuing a login prompt.) s
5 602 M
(   The SSH server may send a SSH_MSG_USERAUTH_BANNER message at any time) s
5 591 M
(   before authentication is successful.  This message contains text to) s
5 580 M
(   be displayed to the client user before authentication is attempted.) s
5 569 M
(   The format is as follows:) s
5 547 M
(     byte      SSH_MSG_USERAUTH_BANNER) s
5 536 M
(     string    message \(ISO-10646 UTF-8\)) s
5 525 M
(     string    language tag \(as defined in [RFC3066]\)) s
5 503 M
(   The client SHOULD by default display the message on the screen.) s
5 492 M
(   However, since the message is likely to be sent for every login) s
5 481 M
(   attempt, and since some client software will need to open a separate) s
5 470 M
(   window for this warning, the client software may allow the user to) s
5 459 M
(   explicitly disable the display of banners from the server.  The) s
5 448 M
(   message may consist of multiple lines.) s
5 426 M
(   If the message string is displayed, control character filtering) s
5 415 M
(   discussed in [SSH-ARCH] SHOULD be used to avoid attacks by sending) s
5 404 M
(   terminal control characters.) s
5 382 M
(3.2 Authentication Protocol Message Numbers) s
5 360 M
(   All message numbers used by this authentication protocol are in the) s
5 349 M
(   range from 50 to 79, which is part of the range reserved for) s
5 338 M
(   protocols running on top of the SSH transport layer protocol.) s
5 316 M
(   Message numbers of 80 and higher are reserved for protocols running) s
5 305 M
(   after this authentication protocol, so receiving one of them before) s
5 294 M
(   authentication is complete is an error, to which the server MUST) s
5 283 M
(   respond by disconnecting \(preferably with a proper disconnect message) s
5 272 M
(   sent first to ease troubleshooting\).) s
5 250 M
(   After successful authentication, such messages are passed to the) s
5 239 M
(   higher-level service.) s
5 217 M
(   These are the general authentication message codes:) s
5 195 M
(     #define SSH_MSG_USERAUTH_REQUEST            50) s
5 184 M
(     #define SSH_MSG_USERAUTH_FAILURE            51) s
5 173 M
(     #define SSH_MSG_USERAUTH_SUCCESS            52) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 7]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 8 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(     #define SSH_MSG_USERAUTH_BANNER             53) s
5 668 M
(   In addition to the above, there is a range of message numbers) s
5 657 M
(   \(60..79\) reserved for method-specific messages.  These messages are) s
5 646 M
(   only sent by the server \(client sends only SSH_MSG_USERAUTH_REQUEST) s
5 635 M
(   messages\). Different authentication methods reuse the same message) s
5 624 M
(   numbers.) s
5 602 M
(3.3 Public Key Authentication Method: publickey) s
5 580 M
(   The only REQUIRED authentication method is public key authentication.) s
5 569 M
(   All implementations MUST support this method; however, not all users) s
5 558 M
(   need to have public keys, and most local policies are not likely to) s
5 547 M
(   require public key authentication for all users in the near future.) s
5 525 M
(   With this method, the possession of a private key serves as) s
5 514 M
(   authentication.  This method works by sending a signature created) s
5 503 M
(   with a private key of the user.  The server MUST check that the key) s
5 492 M
(   is a valid authenticator for the user, and MUST check that the) s
5 481 M
(   signature is valid.  If both hold, the authentication request MUST be) s
5 470 M
(   accepted; otherwise it MUST be rejected.  \(Note that the server MAY) s
5 459 M
(   require additional authentications after successful authentication.\)) s
5 437 M
(   Private keys are often stored in an encrypted form at the client) s
5 426 M
(   host, and the user must supply a passphrase before the signature can) s
5 415 M
(   be generated. Even if they are not, the signing operation involves) s
5 404 M
(   some expensive computation.  To avoid unnecessary processing and user) s
5 393 M
(   interaction, the following message is provided for querying whether) s
5 382 M
(   authentication using the key would be acceptable.) s
5 360 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 349 M
(     string    user name) s
5 338 M
(     string    service) s
5 327 M
(     string    "publickey") s
5 316 M
(     boolean   FALSE) s
5 305 M
(     string    public key algorithm name) s
5 294 M
(     string    public key blob) s
5 272 M
(   Public key algorithms are defined in the transport layer) s
5 261 M
(   specification [SSH-TRANS]. The public key blob may contain) s
5 250 M
(   certificates.) s
5 228 M
(   Any public key algorithm may be offered for use in authentication.) s
5 217 M
(   In particular, the list is not constrained by what was negotiated) s
5 206 M
(   during key exchange.  If the server does not support some algorithm,) s
5 195 M
(   it MUST simply reject the request.) s
5 173 M
(   The server MUST respond to this message with either) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 8]) s
_R
S
PStoPSsaved restore
%%Page: (8,9) 5
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 9 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(   SSH_MSG_USERAUTH_FAILURE or with the following:) s
5 668 M
(     byte      SSH_MSG_USERAUTH_PK_OK) s
5 657 M
(     string    public key algorithm name from the request) s
5 646 M
(     string    public key blob from the request) s
5 624 M
(   To perform actual authentication, the client MAY then send a) s
5 613 M
(   signature generated using the private key.  The client MAY send the) s
5 602 M
(   signature directly without first verifying whether the key is) s
5 591 M
(   acceptable. The signature is sent using the following packet:) s
5 569 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 558 M
(     string    user name) s
5 547 M
(     string    service) s
5 536 M
(     string    "publickey") s
5 525 M
(     boolean   TRUE) s
5 514 M
(     string    public key algorithm name) s
5 503 M
(     string    public key to be used for authentication) s
5 492 M
(     string    signature) s
5 470 M
(   Signature is a signature by the corresponding private key over the) s
5 459 M
(   following data, in the following order:) s
5 437 M
(     string    session identifier) s
5 426 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 415 M
(     string    user name) s
5 404 M
(     string    service) s
5 393 M
(     string    "publickey") s
5 382 M
(     boolean   TRUE) s
5 371 M
(     string    public key algorithm name) s
5 360 M
(     string    public key to be used for authentication) s
5 338 M
(   When the server receives this message, it MUST check whether the) s
5 327 M
(   supplied key is acceptable for authentication, and if so, it MUST) s
5 316 M
(   check whether the signature is correct.) s
5 294 M
(   If both checks succeed, this method is successful.  Note that the) s
5 283 M
(   server may require additional authentications.  The server MUST) s
5 272 M
(   respond with SSH_MSG_USERAUTH_SUCCESS \(if no more authentications are) s
5 261 M
(   needed\), or SSH_MSG_USERAUTH_FAILURE \(if the request failed, or more) s
5 250 M
(   authentications are needed\).) s
5 228 M
(   The following method-specific message numbers are used by the) s
5 217 M
(   publickey authentication method.) s
5 195 M
(     /* Key-based */) s
5 184 M
(     #define SSH_MSG_USERAUTH_PK_OK              60) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                  [Page 9]) s
_R
S
PStoPSsaved restore
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 421.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 10 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(3.4 Password Authentication Method: password) s
5 668 M
(   Password authentication uses the following packets.  Note that a) s
5 657 M
(   server MAY request the user to change the password.  All) s
5 646 M
(   implementations SHOULD support password authentication.) s
5 624 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 613 M
(     string    user name) s
5 602 M
(     string    service) s
5 591 M
(     string    "password") s
5 580 M
(     boolean   FALSE) s
5 569 M
(     string    plaintext password \(ISO-10646 UTF-8\)) s
5 547 M
(   Note that the password is encoded in ISO-10646 UTF-8.  It is up to) s
5 536 M
(   the server how it interprets the password and validates it against) s
5 525 M
(   the password database.  However, if the client reads the password in) s
5 514 M
(   some other encoding \(e.g., ISO 8859-1 \(ISO Latin1\)\), it MUST convert) s
5 503 M
(   the password to ISO-10646 UTF-8 before transmitting, and the server) s
5 492 M
(   MUST convert the password to the encoding used on that system for) s
5 481 M
(   passwords.) s
5 459 M
(   Note that even though the cleartext password is transmitted in the) s
5 448 M
(   packet, the entire packet is encrypted by the transport layer.  Both) s
5 437 M
(   the server and the client should check whether the underlying) s
5 426 M
(   transport layer provides confidentiality \(i.e., if encryption is) s
5 415 M
(   being used\).  If no confidentiality is provided \(none cipher\),) s
5 404 M
(   password authentication SHOULD be disabled.  If there is no) s
5 393 M
(   confidentiality or no MAC, password change SHOULD be disabled.) s
5 371 M
(   Normally, the server responds to this message with success or) s
5 360 M
(   failure. However, if the password has expired the server SHOULD) s
5 349 M
(   indicate this by responding with SSH_MSG_USERAUTH_PASSWD_CHANGEREQ.) s
5 338 M
(   In anycase the server MUST NOT allow an expired password to be used) s
5 327 M
(   for authentication.) s
5 305 M
(     byte      SSH_MSG_USERAUTH_PASSWD_CHANGEREQ) s
5 294 M
(     string    prompt \(ISO-10646 UTF-8\)) s
5 283 M
(     string    language tag \(as defined in [RFC3066]\)) s
5 261 M
(   In this case, the client MAY continue with a different authentication) s
5 250 M
(   method, or request a new password from the user and retry password) s
5 239 M
(   authentication using the following message. The client MAY also send) s
5 228 M
(   this message instead of the normal password authentication request) s
5 217 M
(   without the server asking for it.) s
5 195 M
(     byte      SSH_MSG_USERAUTH_REQUEST) s
5 184 M
(     string    user name) s
5 173 M
(     string    service) s
5 129 M
(Ylonen & Moffat          Expires March 2, 2003                 [Page 10]) s
_R
S
PStoPSsaved restore
%%Page: (10,11) 6
userdict/PStoPSsaved save put
PStoPSmatrix setmatrix
595.000000 0.271378 translate
90 rotate
0.706651 dup scale
userdict/PStoPSmatrix matrix currentmatrix put
userdict/PStoPSclip{0 0 moveto
 595.000000 0 rlineto 0 842.000000 rlineto -595.000000 0 rlineto
 closepath}put initclip
/showpage{}def/copypage{}def/erasepage{}def
PStoPSxform concat
%%BeginPageSetup
_S
75 0 translate
/pagenum 11 def
/fname () def
/fdir () def
/ftail () def
/user_header_p false def
%%EndPageSetup
5 723 M
(Internet-Draft        SSH Authentication Protocol         September 2002) s
5 690 M
(     string    "password") s
5 679 M
(     boolean   TRUE) s
5 668 M
(     string    plaintext old password \(ISO-10646 UTF-8\)) s
5 657 M
(     string    plaintext new password \(ISO-10646 UTF-8\)) s
5 635 M
(   The server must reply to request message with) s
5 624 M
(   SSH_MSG_USERAUTH_SUCCESS, SSH_MSG_USERAUTH_FAILURE, or another) s
5 613 M