Network Working Group J. Galbraith
Request for Comments: 4819 J. Van Dyke
Category: Standards Track VanDyke Software
J. Bright
Silicon Circus
March 2007
Network Working Group J. Galbraith
Request for Comments: 4819 J. Van Dyke
Category: Standards Track VanDyke Software
J. Bright
Silicon Circus
March 2007
Secure Shell Public Key Subsystem
安全外壳公钥子系统
Status of This Memo
关于下段备忘
This document specifies an Internet standards track protocol for the Internet community, and requests discussion and suggestions for improvements. Please refer to the current edition of the "Internet Official Protocol Standards" (STD 1) for the standardization state and status of this protocol. Distribution of this memo is unlimited.
本文件规定了互联网社区的互联网标准跟踪协议,并要求进行讨论和提出改进建议。有关本协议的标准化状态和状态,请参考当前版本的“互联网官方协议标准”(STD 1)。本备忘录的分发不受限制。
Copyright Notice
版权公告
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
Abstract
摘要
Secure Shell defines a user authentication mechanism that is based on public keys, but does not define any mechanism for key distribution. No common key management solution exists in current implementations. This document describes a protocol that can be used to configure public keys in an implementation-independent fashion, allowing client software to take on the burden of this configuration.
Secure Shell定义了基于公钥的用户身份验证机制,但未定义任何密钥分发机制。当前实施中不存在通用密钥管理解决方案。本文档描述了一种协议,该协议可用于以独立于实现的方式配置公钥,从而允许客户端软件承担此配置的负担。
The Public Key Subsystem provides a server-independent mechanism for clients to add public keys, remove public keys, and list the current public keys known by the server. Rights to manage public keys are specific and limited to the authenticated user.
公钥子系统为客户端提供独立于服务器的机制,以添加公钥、删除公钥和列出服务器已知的当前公钥。管理公钥的权限是特定的,并且仅限于经过身份验证的用户。
A public key may also be associated with various restrictions, including a mandatory command or subsystem.
公钥还可以与各种限制相关联,包括强制命令或子系统。
Table of Contents
目录
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Public Key Subsystem Overview . . . . . . . . . . . . . . . . 3
3.1. Opening the Public Key Subsystem . . . . . . . . . . . . . 4
3.2. Requests and Responses . . . . . . . . . . . . . . . . . . 5
3.3. The Status Message . . . . . . . . . . . . . . . . . . . . 5
3.3.1. Status Codes . . . . . . . . . . . . . . . . . . . . . 5
3.4. The Version Packet . . . . . . . . . . . . . . . . . . . . 6
4. Public Key Subsystem Operations . . . . . . . . . . . . . . . 7
4.1. Adding a Public Key . . . . . . . . . . . . . . . . . . . 7
4.2. Removing a Public Key . . . . . . . . . . . . . . . . . . 10
4.3. Listing Public Keys . . . . . . . . . . . . . . . . . . . 10
4.4. Listing Server Capabilities . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
6.1. Registrations . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1. Conventions for Names . . . . . . . . . . . . . . . . 12
6.2.2. Future Assignments of Names . . . . . . . . . . . . . 13
6.3. Public Key Subsystem Request Names . . . . . . . . . . . . 13
6.4. Public Key Subsystem Response Names . . . . . . . . . . . 13
6.5. Public Key Subsystem Attribute Names . . . . . . . . . . . 13
6.6. Public Key Subsystem Status Codes . . . . . . . . . . . . 14
6.6.1. Conventions . . . . . . . . . . . . . . . . . . . . . 14
6.6.2. Initial Assignments . . . . . . . . . . . . . . . . . 14
6.6.3. Future Assignments . . . . . . . . . . . . . . . . . . 15
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Normative References . . . . . . . . . . . . . . . . . . . 15
7.2. Informative References . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Terminology . . . . . . . . . . . . . . . . . . . . . . . . . 3
3. Public Key Subsystem Overview . . . . . . . . . . . . . . . . 3
3.1. Opening the Public Key Subsystem . . . . . . . . . . . . . 4
3.2. Requests and Responses . . . . . . . . . . . . . . . . . . 5
3.3. The Status Message . . . . . . . . . . . . . . . . . . . . 5
3.3.1. Status Codes . . . . . . . . . . . . . . . . . . . . . 5
3.4. The Version Packet . . . . . . . . . . . . . . . . . . . . 6
4. Public Key Subsystem Operations . . . . . . . . . . . . . . . 7
4.1. Adding a Public Key . . . . . . . . . . . . . . . . . . . 7
4.2. Removing a Public Key . . . . . . . . . . . . . . . . . . 10
4.3. Listing Public Keys . . . . . . . . . . . . . . . . . . . 10
4.4. Listing Server Capabilities . . . . . . . . . . . . . . . 10
5. Security Considerations . . . . . . . . . . . . . . . . . . . 11
6. IANA Considerations . . . . . . . . . . . . . . . . . . . . . 12
6.1. Registrations . . . . . . . . . . . . . . . . . . . . . . 12
6.2. Names . . . . . . . . . . . . . . . . . . . . . . . . . . 12
6.2.1. Conventions for Names . . . . . . . . . . . . . . . . 12
6.2.2. Future Assignments of Names . . . . . . . . . . . . . 13
6.3. Public Key Subsystem Request Names . . . . . . . . . . . . 13
6.4. Public Key Subsystem Response Names . . . . . . . . . . . 13
6.5. Public Key Subsystem Attribute Names . . . . . . . . . . . 13
6.6. Public Key Subsystem Status Codes . . . . . . . . . . . . 14
6.6.1. Conventions . . . . . . . . . . . . . . . . . . . . . 14
6.6.2. Initial Assignments . . . . . . . . . . . . . . . . . 14
6.6.3. Future Assignments . . . . . . . . . . . . . . . . . . 15
7. References . . . . . . . . . . . . . . . . . . . . . . . . . . 15
7.1. Normative References . . . . . . . . . . . . . . . . . . . 15
7.2. Informative References . . . . . . . . . . . . . . . . . . 15
8. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . . 16
Secure Shell (SSH) is a protocol for secure remote login and other secure network services over an insecure network. Secure Shell defines a user authentication mechanism that is based on public keys, but does not define any mechanism for key distribution. Common practice is to authenticate once with password authentication and transfer the public key to the server. However, to date no two implementations use the same mechanism to configure a public key for use.
Secure Shell(SSH)是一种用于在不安全网络上安全远程登录和其他安全网络服务的协议。Secure Shell定义了基于公钥的用户身份验证机制,但未定义任何密钥分发机制。通常的做法是使用密码身份验证进行一次身份验证,然后将公钥传输到服务器。但是,到目前为止,没有两个实现使用相同的机制来配置公钥以供使用。
This document describes a subsystem that can be used to configure public keys in an implementation-independent fashion. This approach allows client software to take on the burden of this configuration. The Public Key Subsystem protocol is designed for extreme simplicity in implementation. It is not intended as a Public Key Infrastructure for X.509 Certificates (PKIX) replacement.
本文档描述了一个子系统,该子系统可用于以独立于实现的方式配置公钥。这种方法允许客户端软件承担这种配置的负担。公钥子系统协议的设计非常简单。它不是用于替换X.509证书(PKIX)的公钥基础设施。
The Secure Shell Public Key Subsystem has been designed to run on top of the Secure Shell transport layer [2] and user authentication protocols [3]. It provides a simple mechanism for the client to manage public keys on the server.
安全外壳公钥子系统设计为在安全外壳传输层[2]和用户身份验证协议[3]上运行。它为客户端管理服务器上的公钥提供了一种简单的机制。
This document should be read only after reading the Secure Shell architecture [1] and Secure Shell connection [4] documents.
只有在阅读了Secure Shell architecture[1]和Secure Shell connection[4]文档后,才能阅读本文档。
This protocol is intended to be used from the Secure Shell Connection Protocol [4] as a subsystem, as described in the section "Starting a Shell or a Command". The subsystem name used with this protocol is "publickey".
如“启动外壳或命令”一节所述,本协议旨在从安全外壳连接协议[4]中用作子系统。本协议使用的子系统名称为“公钥”。
This protocol requires that the user be able to authenticate in some fashion before it can be used. If password authentication is used, servers SHOULD provide a configuration option to disable the use of password authentication after the first public key is added.
该协议要求用户在使用前能够以某种方式进行身份验证。如果使用密码验证,服务器应提供配置选项,以在添加第一个公钥后禁用密码验证的使用。
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT", "SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in this document are to be interpreted as described in RFC 2119 [5].
本文件中的关键词“必须”、“不得”、“要求”、“应”、“不应”、“应”、“不应”、“建议”、“可”和“可选”应按照RFC 2119[5]中所述进行解释。
The Public Key Subsystem provides a server-independent mechanism for clients to add public keys, remove public keys, and list the current public keys known by the server. The subsystem name is "publickey".
公钥子系统为客户端提供独立于服务器的机制,以添加公钥、删除公钥和列出服务器已知的当前公钥。子系统名称为“公钥”。
The public keys added, removed, and listed using this protocol are specific and limited to those of the authenticated user.
使用此协议添加、删除和列出的公钥是特定的,并且仅限于经过身份验证的用户的公钥。
The operations to add, remove, and list the authenticated user's public keys are performed as request packets sent to the server. The server sends response packets that indicate success or failure as well as provide specific response data.
添加、删除和列出经过身份验证的用户公钥的操作将作为发送到服务器的请求数据包执行。服务器发送指示成功或失败的响应数据包,并提供特定的响应数据。
The format of public key blobs are detailed in Section 6.6, "Public Key Algorithms" of the SSH Transport Protocol document [2].
SSH传输协议文档[2]的第6.6节“公钥算法”详细介绍了公钥blob的格式。
The Public Key Subsystem is started by a client sending an SSH_MSG_CHANNEL_REQUEST over an existing session's channel.
公钥子系统由客户端通过现有会话的通道发送SSH_MSG_CHANNEL_请求启动。
The details of how a session is opened are described in the SSH Connection Protocol document [4] in the section "Opening a Session".
如何打开会话的详细信息在SSH连接协议文档[4]的“打开会话”一节中进行了描述。
To open the Public Key Subsystem, the client sends:
要打开公钥子系统,客户端将发送:
byte SSH_MSG_CHANNEL_REQUEST uint32 recipient channel string "subsystem" boolean want reply string "publickey"
字节SSH\u MSG\u CHANNEL\u请求uint32收件人通道字符串“subsystem”布尔值想要回复字符串“publickey”
Client implementations SHOULD reject this request; it is normally sent only by the client.
客户端实现应拒绝此请求;它通常仅由客户端发送。
If want reply is TRUE, the server MUST respond with SSH_MSG_CHANNEL_SUCCESS if the Public Key Subsystem was successfully started, or SSH_MSG_CHANNEL_FAILURE if the server failed to start or does not support the Public Key Subsystem.
如果want reply为TRUE,则如果公钥子系统已成功启动,服务器必须以SSH_MSG_CHANNEL_SUCCESS响应;如果服务器未能启动或不支持公钥子系统,则服务器必须以SSH_MSG_CHANNEL_FAILURE响应。
The server SHOULD respond with SSH_MSG_CHANNEL_FAILURE if the user is not allowed access to the Public Key Subsystem (for example, because the user authenticated with a restricted public key).
如果不允许用户访问公钥子系统(例如,因为用户使用受限制的公钥进行了身份验证),服务器应以SSH_MSG_CHANNEL_故障进行响应。
It is RECOMMENDED that clients request and check the reply for this request.
建议客户端请求并检查此请求的答复。
All Public Key Subsystem requests and responses are sent in the following form:
所有公钥子系统请求和响应均以以下形式发送:
uint32 length string name ... request/response specific data follows
uint32长度字符串名称。。。请求/响应特定数据如下
The length field describes the length of the name field and of the request/response-specific data, but does not include the length of the length field itself. The client MUST receive acknowledgement of each request prior to sending a new request.
长度字段描述名称字段和请求/响应特定数据的长度,但不包括长度字段本身的长度。在发送新请求之前,客户端必须收到每个请求的确认。
The version packet, as well as all requests and responses described in Section 4, are a description of the 'name' field and the data part of the packet.
版本数据包以及第4节中描述的所有请求和响应都是对“名称”字段和数据包数据部分的描述。
A request is acknowledged by sending a status packet. If there is data in response to the request, the status packet is sent after all data has been sent.
通过发送状态包确认请求。如果有数据响应请求,则在发送所有数据后发送状态包。
string "status" uint32 status code string description [7] string language tag [6]
字符串“状态”uint32状态代码字符串说明[7]字符串语言标记[6]
A status message MUST be sent for any unrecognized packets, and the request SHOULD NOT close the subsystem.
必须为任何无法识别的数据包发送状态消息,并且请求不应关闭子系统。
The status code gives the status in a more machine-readable format (suitable for localization), and can have the following values:
状态代码以更具机器可读性的格式(适用于本地化)提供状态,并且可以具有以下值:
SSH_PUBLICKEY_SUCCESS 0 SSH_PUBLICKEY_ACCESS_DENIED 1 SSH_PUBLICKEY_STORAGE_EXCEEDED 2 SSH_PUBLICKEY_VERSION_NOT_SUPPORTED 3 SSH_PUBLICKEY_KEY_NOT_FOUND 4 SSH_PUBLICKEY_KEY_NOT_SUPPORTED 5 SSH_PUBLICKEY_KEY_ALREADY_PRESENT 6 SSH_PUBLICKEY_GENERAL_FAILURE 7 SSH_PUBLICKEY_REQUEST_NOT_SUPPORTED 8 SSH_PUBLICKEY_ATTRIBUTE_NOT_SUPPORTED 9
SSH\u公钥\u成功0 SSH\u公钥\u访问被拒绝1 SSH\u公钥\u存储超过2 SSH\u公钥\u版本\u不受支持3 SSH\u公钥\u密钥未找到4 SSH\u公钥\u密钥不受支持5 SSH\u公钥\u密钥已存在6 SSH\u公钥\u一般故障7 SSH\u公钥\u请求\u不受支持8 SSH\u公钥\u属性\u不受支持9
If a request completed successfully, the server MUST send the status code SSH_PUBLICKEY_SUCCESS. The meaning of the failure codes is as implied by their names.
如果请求成功完成,服务器必须发送状态代码SSH\u PUBLICKEY\u SUCCESS。故障代码的含义与其名称相同。
Both sides MUST start a connection by sending a version packet that indicates the version of the protocol they are using.
双方必须通过发送一个版本数据包来启动连接,该数据包指示他们正在使用的协议的版本。
string "version" uint32 protocol-version-number
字符串“版本”uint32协议版本号
This document describes version 2 of the protocol. Version 1 was used by an early draft of this document. The version number was incremented after changes in the handling of status packets.
本文件描述了协议的第2版。本文件的早期草稿使用了第1版。在状态数据包的处理发生更改后,版本号增加。
Both sides send the highest version that they implement. The lower of the version numbers is the version of the protocol to use. If either side can't support the lower version, it should close the subsystem and notify the other side by sending an SSH_MSG_CHANNEL_CLOSE message. Before closing the subsystem, a status message with the status SSH_PUBLICKEY_VERSION_NOT_SUPPORTED SHOULD be sent. Note that, normally, status messages are only sent by the server (in response to requests from the client). This is the only occasion on which the client sends a status message.
双方都发送他们实现的最高版本。版本号中较低的是要使用的协议版本。如果任何一方不能支持较低版本,它应该关闭子系统,并通过发送SSH_MSG_CHANNEL_close消息通知另一方。关闭子系统之前,应发送状态为SSH_PUBLICKEY_VERSION_NOT_SUPPORTED的状态消息。请注意,通常情况下,状态消息仅由服务器发送(响应客户端的请求)。这是客户端发送状态消息的唯一场合。
Both sides MUST wait to receive this version before continuing. The "version" packet MUST NOT be sent again after this initial exchange. The SSH_PUBLICKEY_VERSION_NOT_SUPPORTED status code must not be sent in response to any other request.
双方必须等待收到此版本后才能继续。“版本”数据包在初次交换后不得再次发送。SSH_PUBLICKEY_VERSION_NOT_SUPPORTED状态代码不得发送以响应任何其他请求。
Implementations MAY use the first 15 bytes of the version packet as a "magic cookie" to avoid processing spurious output from the user's shell (as described in Section 6.5 of [4]). These bytes will always be:
实现可以使用版本数据包的前15个字节作为“魔法cookie”,以避免处理来自用户外壳的虚假输出(如[4]第6.5节所述)。这些字节将始终为:
0x00 0x00 0x00 0x0F 0x00 0x00 0x00 0x07 0x76 0x65 0x72 0x73 0x69 0x6F 0x6E
0x00 0x00 0x00 0x0F 0x00 0x00 0x00 0x07 0x76 0x65 0x72 0x73 0x69 0x6F 0x6E
The Public Key Subsystem currently defines four operations: add, remove, list, and listattributes.
公钥子系统目前定义了四个操作:添加、删除、列表和listattributes。
If the client wishes to add a public key, the client sends:
如果客户端希望添加公钥,则客户端将发送:
string "add" string public key algorithm name string public key blob boolean overwrite uint32 attribute-count string attrib-name string attrib-value bool critical repeated attribute-count times
字符串“添加”字符串公钥算法名称字符串公钥blob布尔覆盖uint32属性计数字符串attrib名称字符串attrib值bool临界重复属性计数次数
The server MUST attempt to store the public key for the user in the appropriate location so the public key can be used for subsequent public key authentications. If the overwrite field is false and the specified key already exists, the server MUST return SSH_PUBLICKEY_KEY_ALREADY_PRESENT. If the server returns this, the client SHOULD provide an option to the user to overwrite the key. If the overwrite field is true and the specified key already exists, but cannot be overwritten, the server MUST return SSH_PUBLICKEY_ACCESS_DENIED.
服务器必须尝试将用户的公钥存储在适当的位置,以便该公钥可用于后续公钥身份验证。如果覆盖字段为false且指定的密钥已存在,则服务器必须返回SSH\u PUBLICKEY\u key\u ready\u PRESENT。如果服务器返回此密钥,客户端应向用户提供覆盖密钥的选项。如果overwrite字段为true且指定的密钥已存在,但无法覆盖,则服务器必须返回SSH\u PUBLICKEY\u ACCESS\u DENIED。
Attribute names are defined following the same scheme laid out for algorithm names in [1]. If the server does not implement a critical attribute, it MUST fail the add, with the status code SSH_PUBLICKEY_ATTRIBUTE_NOT_SUPPORTED. For the purposes of a critical attribute, mere storage of the attribute is not sufficient -- rather, the server must understand and implement the intent of the attribute.
属性名称的定义与[1]中算法名称的定义相同。如果服务器未实现关键属性,则添加必须失败,状态代码为SSH\u PUBLICKEY\u attribute\u not\u SUPPORTED。对于关键属性而言,仅仅存储该属性是不够的——相反,服务器必须理解并实现该属性的意图。
The following attributes are currently defined:
当前定义了以下属性:
"comment"
“评论”
The value of the comment attribute contains user-specified text about the public key. The server SHOULD make every effort to preserve this value and return it with the key during any subsequent list operation. The server MUST NOT attempt to interpret or act upon the content of the comment field in any way. The comment attribute must be specified in UTF-8 format [7].
comment属性的值包含用户指定的关于公钥的文本。服务器应尽一切努力保留该值,并在任何后续的列表操作中随键返回该值。服务器不得试图以任何方式解释或处理注释字段的内容。注释属性必须以UTF-8格式指定[7]。
The comment field is useful so the user can identify the key without resorting to comparing its fingerprint. This attribute SHOULD NOT be critical.
注释字段非常有用,因此用户可以识别密钥,而无需比较其指纹。此属性不应是关键的。
"comment-language"
“评论语言”
If this attribute is specified, it MUST immediately follow a "comment" attribute and specify the language for that attribute [6]. The client MAY specify more than one comment if it additionally specifies a different language for each of those comments. The server SHOULD attempt to store each comment with its language attribute. This attribute SHOULD NOT be critical.
如果指定了此属性,则它必须紧跟在“comment”属性之后,并指定该属性的语言[6]。如果客户机为每个注释另外指定了不同的语言,则可以指定多个注释。服务器应尝试使用其语言属性存储每个注释。此属性不应是关键的。
"command-override"
“命令覆盖”
"command-override" specifies a command to be executed when this key is in use. The command should be executed by the server when it receives an "exec" or "shell" request from the client, in place of the command or shell which would otherwise have been executed as a result of that request. If the command string is empty, both "exec" and "shell" requests should be denied. If no "command-override" attribute is specified, all "exec" and "shell" requests should be permitted (as long as they satisfy other security or authorization checks the server may perform). This attribute SHOULD be critical.
“命令覆盖”指定使用此键时要执行的命令。当服务器接收到来自客户端的“exec”或“shell”请求时,该命令应由服务器执行,而不是由该请求执行的命令或shell。如果命令字符串为空,“exec”和“shell”请求都应被拒绝。如果未指定“command override”属性,则应允许所有“exec”和“shell”请求(只要它们满足服务器可能执行的其他安全或授权检查)。这个属性应该是关键的。
"subsystem"
“子系统”
"subsystem" specifies a comma-separated list of subsystems that may be started (using a "subsystem" request) when this key is in use. This attribute SHOULD be critical. If the value is empty, no subsystems may be started. If the "subsystem" attribute is not specified, no restrictions are placed on which subsystems may be started when authenticated using this key.
“subsystem”指定使用此键时可启动(使用“subsystem”请求)的子系统的逗号分隔列表。这个属性应该是关键的。如果该值为空,则不能启动任何子系统。如果未指定“subsystem”属性,则不会对使用此密钥进行身份验证时可启动的子系统设置任何限制。
"x11"
“x11”
"x11" specifies that X11 forwarding may not be performed when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be critical.
“x11”指定在使用此密钥时不能执行x11转发。此属性的属性值字段应为空。这个属性应该是关键的。
"shell"
“壳”
"shell" specifies that session channel "shell" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be critical.
“shell”指定在使用此密钥时应拒绝会话通道“shell”请求。此属性的属性值字段应为空。这个属性应该是关键的。
"exec"
“执行官”
"exec" specifies that session channel "exec" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be critical.
“exec”指定在使用此密钥时应拒绝会话通道“exec”请求。此属性的属性值字段应为空。这个属性应该是关键的。
"agent"
“代理人”
"agent" specifies that session channel "auth-agent-req" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be critical.
“代理”指定在使用此密钥时应拒绝会话通道“auth agent req”请求。此属性的属性值字段应为空。这个属性应该是关键的。
"env"
“环境”
"env" specifies that session channel "env" requests should be denied when this key is in use. The attribute-value field SHOULD be empty for this attribute. This attribute SHOULD be critical.
“env”指定在使用此密钥时应拒绝会话通道“env”请求。此属性的属性值字段应为空。这个属性应该是关键的。
"from"
“来自”
"from" specifies a comma-separated list of hosts from which the key may be used. If a host not in this list attempts to use this key for authorization purposes, the authorization attempt MUST be denied. The server SHOULD make a log entry regarding this. The server MAY provide a method for administrators to disallow the appearance of a host in this list. The server should use whatever method is appropriate for its platform to identify the host -- e.g., for IP-based networks, checking the IP address or performing a reverse DNS lookup. For IP-based networks, it is anticipated that each element of the "from" parameter will take the form of a specific IP address or hostname.
“from”指定可以使用密钥的主机的逗号分隔列表。如果不在此列表中的主机尝试使用此密钥进行授权,则必须拒绝授权尝试。服务器应为此创建一个日志条目。服务器可以为管理员提供一种方法,禁止主机出现在此列表中。服务器应使用适合其平台的任何方法来识别主机,例如,对于基于IP的网络,检查IP地址或执行反向DNS查找。对于基于IP的网络,“from”参数的每个元素都将采用特定IP地址或主机名的形式。
"port-forward"
“前进港”
"port-forward" specifies that no "direct-tcpip" requests should be accepted, except those to hosts specified in the comma-separated list supplied as a value to this attribute. If the value of this attribute is empty, all "direct-tcpip" requests should be refused when using this key. This attribute SHOULD be critical.
“port forward”指定不应接受任何“direct tcpip”请求,除了作为此属性值提供的逗号分隔列表中指定的主机请求。如果此属性的值为空,则使用此键时应拒绝所有“direct tcpip”请求。这个属性应该是关键的。
"reverse-forward"
“反向前进”
"reverse-forward" specifies that no "tcpip-forward" requests should be accepted, except for the port numbers in the comma-separated list supplied as a value to this attribute. If the value of this attribute is empty, all "tcpip-forward" requests should be refused when using this key. This attribute SHOULD be critical.
“反向转发”指定不应接受任何“tcpip转发”请求,除了作为此属性值提供的逗号分隔列表中的端口号。如果此属性的值为空,则在使用此键时应拒绝所有“tcpip forward”请求。这个属性应该是关键的。
In addition to the attributes specified by the client, the server MAY provide a method for administrators to enforce certain attributes compulsorily.
除了客户端指定的属性外,服务器还可以为管理员提供强制执行某些属性的方法。
If the client wishes to remove a public key, the client sends:
如果客户端希望删除公钥,则客户端将发送:
string "remove" string public key algorithm name string public key blob
字符串“删除”字符串公钥算法名称字符串公钥blob
The server MUST attempt to remove the public key for the user from the appropriate location, so that the public key cannot be used for subsequent authentications.
服务器必须尝试从适当的位置删除用户的公钥,以便该公钥不能用于后续身份验证。
If the client wishes to list the known public keys, the client sends:
如果客户端希望列出已知公钥,则客户端发送:
string "list"
字符串“列表”
The server will respond with zero or more of the following responses:
服务器将响应以下零个或多个响应:
string "publickey" string public key algorithm name string public key blob uint32 attribute-count string attrib-name string attrib-value repeated attribute-count times
字符串“publickey”字符串公钥算法名称字符串公钥blob uint32属性计数字符串attrib名称字符串attrib值重复属性计数次数
There is no requirement that the responses be in any particular order. Whilst some server implementations may send the responses in some order, client implementations should not rely on responses being in any order.
没有要求响应按任何特定顺序进行。虽然某些服务器实现可能会以某种顺序发送响应,但客户端实现不应依赖于任何顺序的响应。
Following the last "publickey" response, a status packet MUST be sent.
在最后一个“公钥”响应之后,必须发送一个状态数据包。
Implementations SHOULD support this request.
实现应该支持这个请求。
If the client wishes to know which key attributes the server supports, it sends:
如果客户端希望知道服务器支持哪些密钥属性,则会发送:
string "listattributes"
字符串“listattributes”
The server will respond with zero or more of the following responses:
服务器将响应以下零个或多个响应:
string "attribute" string attribute name boolean compulsory
字符串“属性”字符串属性名称布尔值强制
The "compulsory" field indicates whether this attribute will be compulsorily applied to any added keys (irrespective of whether the attribute has been specified by the client) due to administrative settings on the server. If the server does not support administrative settings of this nature, it MUST return false in the compulsory field. An example of use of the "compulsory" attribute would be a server with a configuration file specifying that the user is not permitted shell access. Given this, the server would return the "shell" attribute, with "compulsory" marked true. Whatever attributes the user subsequently asked the server to apply to their key, the server would also apply the "shell" attribute, rendering it impossible for the user to use a shell.
“强制”字段表示由于服务器上的管理设置,是否将此属性强制应用于任何添加的密钥(无论客户端是否指定了该属性)。如果服务器不支持这种性质的管理设置,则必须在必填字段中返回false。使用“强制”属性的一个示例是一个服务器,其配置文件指定不允许用户访问shell。鉴于此,服务器将返回“shell”属性,并将“强制”标记为true。无论用户随后要求服务器对其密钥应用什么属性,服务器也会应用“shell”属性,从而使用户无法使用shell。
Following the last "attribute" response, a status packet MUST be sent.
在最后一个“属性”响应之后,必须发送一个状态数据包。
An implementation MAY choose not to support this request.
实现可能选择不支持此请求。
This protocol assumes that it is run over a secure channel and that the endpoints of the channel have been authenticated. Thus, this protocol assumes that it is externally protected from network-level attacks.
此协议假定它在安全通道上运行,并且通道的端点已通过身份验证。因此,该协议假定它受到外部保护,免受网络级攻击。
This protocol provides a mechanism that allows client authentication data to be uploaded and manipulated. It is the responsibility of the server implementation to enforce any access controls that may be required to limit the access allowed for any particular user (the user being authenticated externally to this protocol, typically using the SSH User Authentication Protocol [3]). In particular, it is possible for users to overwrite an existing key on the server with this protocol, whilst at the same time specifying fewer restrictions for the new key than were previously present. Servers should take care that when doing this, clients are not able to override presets from the server's administrator.
该协议提供了一种机制,允许上载和操作客户端身份验证数据。服务器实现的责任是实施可能需要的任何访问控制,以限制任何特定用户(通过此协议进行外部身份验证的用户,通常使用SSH用户身份验证协议[3])所允许的访问。特别是,用户可以使用此协议覆盖服务器上的现有密钥,同时为新密钥指定比以前更少的限制。服务器应注意,执行此操作时,客户端无法覆盖服务器管理员提供的预设。
This protocol requires the client to assume that the server will correctly implement and observe attributes applied to keys. Implementation errors in the server could cause clients to authorize keys for access they were not intended to have, or to apply fewer restrictions than were intended.
此协议要求客户端假定服务器将正确实现并观察应用于密钥的属性。服务器中的实现错误可能会导致客户端授权密钥进行他们不打算拥有的访问,或者应用比预期更少的限制。
This section contains conventions used in naming the namespaces, the initial state of the registry, and instructions for future assignments.
本节包含命名名称空间时使用的约定、注册表的初始状态以及将来分配的说明。
Consistent with Section 4.9.5 of [8], this document makes the following registration:
根据[8]第4.9.5节,本文件进行了以下登记:
The subsystem name "publickey".
子系统名称为“公钥”。
In the following sections, the values for the namespaces are textual. The conventions and instructions to the IANA for future assignments are given in this section. The initial assignments are given in their respective sections.
在以下部分中,名称空间的值是文本的。本节给出了IANA未来任务的约定和说明。最初的作业在各自的章节中给出。
All names registered by the IANA in the following sections MUST be printable US-ASCII strings, and MUST NOT contain the characters at-sign ("@"), comma (","), or whitespace or control characters (ASCII codes 32 or less). Names are case-sensitive, and MUST NOT be longer than 64 characters.
IANA在以下章节中注册的所有名称必须是可打印的US-ASCII字符串,并且不得包含符号(“@”)、逗号(“,”)处的字符,或空格或控制字符(ASCII代码32或更少)。名称区分大小写,长度不得超过64个字符。
A provision is made here for locally extensible names. The IANA will not register and will not control names with the at-sign in them. Names with the at-sign in them will have the format of "name@domainname" (without the double quotes) where the part preceding the at-sign is the name. The format of the part preceding the at-sign is not specified; however, these names MUST be printable US-ASCII strings, and MUST NOT contain the comma character (","), or whitespace, or control characters (ASCII codes 32 or less). The part following the at-sign MUST be a valid, fully qualified Internet domain name [10] controlled by the person or organization defining the name. Names are case-sensitive, and MUST NOT be longer than 64 characters. It is up to each domain how it manages its local namespace. It has been noted that these names resemble STD 11 [9] email addresses. This is purely coincidental and actually has nothing to do with STD 11 [9]. An example of a locally defined name is "our-attribute@example.com" (without the double quotes).
这里规定了本地可扩展名称。IANA不会注册,也不会控制at登录的名称。带有at符号的名称的格式为“name@domainname“(不带双引号),其中at符号前的部分为名称。未规定at标志前面部分的格式;但是,这些名称必须是可打印的US-ASCII字符串,并且不得包含逗号字符(“,”)或空格或控制字符(ASCII代码32或更少)。at标志后面的部分必须是由定义名称的个人或组织控制的有效、完全限定的互联网域名[10]。名称区分大小写,长度不得超过64个字符。如何管理其本地名称空间取决于每个域。已经注意到,这些名称类似于STD 11[9]电子邮件地址。这纯粹是巧合,实际上与STD 11[9]无关。本地定义名称的一个示例是“我们的-attribute@example.com“(不带双引号)。
Requests for assignments of new Names MUST be done through the IETF Consensus method as described in [11].
分配新名称的请求必须通过[11]中所述的IETF协商一致方法完成。
The following table lists the initial assignments of Public Key Subsystem Request names.
下表列出了公钥子系统请求名称的初始分配。
Request Name
-------------
version
add
remove
list
listattributes
Request Name
-------------
version
add
remove
list
listattributes
The following table lists the initial assignments of Public Key Subsystem Response names.
下表列出了公钥子系统响应名称的初始分配。
Response Name
--------------
version
status
publickey
attribute
Response Name
--------------
version
status
publickey
attribute
Attributes are used to define properties or restrictions for public keys. The following table lists the initial assignments of Public Key Subsystem Attribute names.
属性用于定义公钥的属性或限制。下表列出了公钥子系统属性名称的初始分配。
Attribute Name
---------------
comment
comment-language
command-override
subsystem
x11
shell
exec
agent
env
from
port-forward
reverse-forward
Attribute Name
---------------
comment
comment-language
command-override
subsystem
x11
shell
exec
agent
env
from
port-forward
reverse-forward
The status code is a byte value, describing the status of a request.
状态代码是一个字节值,描述请求的状态。
Status responses have status codes in the range 0 to 255. These numbers are allocated as follows. Of these, the range 192 to 255 is reserved for use by local, private extensions.
状态响应的状态代码范围为0到255。这些数字分配如下。其中,192到255的范围保留供本地专用扩展使用。
The following table identifies the initial assignments of the Public Key Subsystem status code values.
下表确定了公钥子系统状态代码值的初始分配。
Status code Value Reference
------------ ----- ---------
SSH_PUBLICKEY_SUCCESS 0
SSH_PUBLICKEY_ACCESS_DENIED 1
SSH_PUBLICKEY_STORAGE_EXCEEDED 2
SSH_PUBLICKEY_VERSION_NOT_SUPPORTED 3
SSH_PUBLICKEY_KEY_NOT_FOUND 4
SSH_PUBLICKEY_KEY_NOT_SUPPORTED 5
SSH_PUBLICKEY_KEY_ALREADY_PRESENT 6
SSH_PUBLICKEY_GENERAL_FAILURE 7
SSH_PUBLICKEY_REQUEST_NOT_SUPPORTED 8
SSH_PUBLICKEY_ATTRIBUTE_NOT_SUPPORTED 9
Status code Value Reference
------------ ----- ---------
SSH_PUBLICKEY_SUCCESS 0
SSH_PUBLICKEY_ACCESS_DENIED 1
SSH_PUBLICKEY_STORAGE_EXCEEDED 2
SSH_PUBLICKEY_VERSION_NOT_SUPPORTED 3
SSH_PUBLICKEY_KEY_NOT_FOUND 4
SSH_PUBLICKEY_KEY_NOT_SUPPORTED 5
SSH_PUBLICKEY_KEY_ALREADY_PRESENT 6
SSH_PUBLICKEY_GENERAL_FAILURE 7
SSH_PUBLICKEY_REQUEST_NOT_SUPPORTED 8
SSH_PUBLICKEY_ATTRIBUTE_NOT_SUPPORTED 9
Requests for assignments of new status codes in the range of 0 to 191 MUST be done through the Standards Action method as described in [11].
对于0到191范围内的新状态代码的分配请求必须通过[11]中所述的标准行动方法完成。
The IANA will not control the status code range of 192 through 255. This range is for private use.
IANA不会控制状态代码范围192到255。这个范围是供私人使用的。
[1] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Protocol Architecture", RFC 4251, January 2006.
[1] Ilonen,T.和C.Lonvick,“安全外壳(SSH)协议架构”,RFC 42512006年1月。
[2] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Transport Layer Protocol", RFC 4253, January 2006.
[2] Ilonen,T.和C.Lonvick,“安全外壳(SSH)传输层协议”,RFC 4253,2006年1月。
[3] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Authentication Protocol", RFC 4252, January 2006.
[3] Ilonen,T.和C.Lonvick,“安全外壳(SSH)认证协议”,RFC 4252,2006年1月。
[4] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH) Connection Protocol", RFC 4254, January 2006.
[4] Ilonen,T.和C.Lonvick,“安全外壳(SSH)连接协议”,RFC 4254,2006年1月。
[5] Bradner, S., "Key words for use in RFCs to Indicate Requirement Levels", BCP 14, RFC 2119, March 1997.
[5] Bradner,S.,“RFC中用于表示需求水平的关键词”,BCP 14,RFC 2119,1997年3月。
[6] Phillips, A. and M. Davis, "Tags for Identifying Languages", BCP 47, RFC 4646, September 2006.
[6] Phillips,A.和M.Davis,“识别语言的标签”,BCP 47,RFC 46462006年9月。
[7] Yergeau, F., "UTF-8, a transformation format of ISO 10646", STD 63, RFC 3629, November 2003.
[7] Yergeau,F.,“UTF-8,ISO 10646的转换格式”,STD 63,RFC 3629,2003年11月。
[8] Lehtinen, S. and C. Lonvick, "The Secure Shell (SSH) Protocol Assigned Numbers", RFC 4250, January 2006.
[8] Lehtinen,S.和C.Lonvick,“安全外壳(SSH)协议分配编号”,RFC 4250,2006年1月。
[9] Crocker, D., "Standard for the format of ARPA Internet text messages", STD 11, RFC 822, August 1982.
[9] Crocker,D.,“ARPA互联网文本信息格式标准”,STD 11,RFC 822,1982年8月。
[10] Mockapetris, P., "Domain names - concepts and facilities", STD 13, RFC 1034, November 1987.
[10] Mockapetris,P.,“域名-概念和设施”,STD 13,RFC 1034,1987年11月。
[11] Narten, T. and H. Alvestrand, "Guidelines for Writing an IANA Considerations Section in RFCs", BCP 26, RFC 2434, October 1998.
[11] Narten,T.和H.Alvestrand,“在RFCs中编写IANA注意事项部分的指南”,BCP 26,RFC 2434,1998年10月。
Brent McClure contributed to the writing of this document.
Brent McClure为本文件的编写做出了贡献。
Authors' Addresses
作者地址
Joseph Galbraith VanDyke Software 4848 Tramway Ridge Blvd Suite 101 Albuquerque, NM 87111 US
Joseph Galbraith VanDyke Software 4848美国新墨西哥州阿尔伯克基索道桥大道101号套房,邮编87111
Phone: +1 505 332 5700
EMail: galb@vandyke.com
Phone: +1 505 332 5700
EMail: galb@vandyke.com
Jeff P. Van Dyke VanDyke Software 4848 Tramway Ridge Blvd Suite 101 Albuquerque, NM 87111 US
Jeff P.Van Dyke VanDyke Software 4848美国新墨西哥州阿尔伯克基市电车桥大道101号套房87111
Phone: +1 505 332 5700
EMail: jpv@vandyke.com
Phone: +1 505 332 5700
EMail: jpv@vandyke.com
Jon Bright Silicon Circus 24 Jubilee Road Chichester, West Sussex PO19 7XB UK
英国西苏塞克斯郡奇切斯特朱比利路24号Jon Bright Silicon Circus PO19 7XB
Phone: +49 172 524 0521
EMail: jon@siliconcircus.com
Phone: +49 172 524 0521
EMail: jon@siliconcircus.com
Full Copyright Statement
完整版权声明
Copyright (C) The IETF Trust (2007).
版权所有(C)IETF信托基金(2007年)。
This document is subject to the rights, licenses and restrictions contained in BCP 78, and except as set forth therein, the authors retain all their rights.
本文件受BCP 78中包含的权利、许可和限制的约束,除其中规定外,作者保留其所有权利。
This document and the information contained herein are provided on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, THE IETF TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
本文件及其包含的信息以“原样”为基础提供,贡献者、他/她所代表或赞助的组织(如有)、互联网协会、IETF信托基金和互联网工程任务组不承担任何明示或暗示的担保,包括但不限于任何保证,即使用本文中的信息不会侵犯任何权利,或对适销性或特定用途适用性的任何默示保证。
Intellectual Property
知识产权
The IETF takes no position regarding the validity or scope of any Intellectual Property Rights or other rights that might be claimed to pertain to the implementation or use of the technology described in this document or the extent to which any license under such rights might or might not be available; nor does it represent that it has made any independent effort to identify any such rights. Information on the procedures with respect to rights in RFC documents can be found in BCP 78 and BCP 79.
IETF对可能声称与本文件所述技术的实施或使用有关的任何知识产权或其他权利的有效性或范围,或此类权利下的任何许可可能或可能不可用的程度,不采取任何立场;它也不表示它已作出任何独立努力来确定任何此类权利。有关RFC文件中权利的程序信息,请参见BCP 78和BCP 79。
Copies of IPR disclosures made to the IETF Secretariat and any assurances of licenses to be made available, or the result of an attempt made to obtain a general license or permission for the use of such proprietary rights by implementers or users of this specification can be obtained from the IETF on-line IPR repository at http://www.ietf.org/ipr.
向IETF秘书处披露的知识产权副本和任何许可证保证,或本规范实施者或用户试图获得使用此类专有权利的一般许可证或许可的结果,可从IETF在线知识产权存储库获取,网址为http://www.ietf.org/ipr.
The IETF invites any interested party to bring to its attention any copyrights, patents or patent applications, or other proprietary rights that may cover technology that may be required to implement this standard. Please address the information to the IETF at ietf-ipr@ietf.org.
IETF邀请任何相关方提请其注意任何版权、专利或专利申请,或其他可能涵盖实施本标准所需技术的专有权利。请将信息发送至IETF的IETF-ipr@ietf.org.
Acknowledgement
确认
Funding for the RFC Editor function is currently provided by the Internet Society.
RFC编辑功能的资金目前由互联网协会提供。