diff options
author | djm@openbsd.org <djm@openbsd.org> | 2023-12-18 14:45:49 +0000 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2023-12-19 01:51:46 +1100 |
commit | a7ed931caeb68947d30af8a795f4108b6efad761 (patch) | |
tree | 05b9c1e413acee36b37cbe5a0c4b938d19be595d /PROTOCOL | |
parent | 1edb00c58f8a6875fad6a497aa2bacf37f9e6cd5 (diff) |
upstream: add "ext-info-in-auth@openssh.com" extension
This adds another transport protocol extension to allow a sshd to send
SSH2_MSG_EXT_INFO during user authentication, after the server has
learned the username that is being logged in to.
This lets sshd to update the acceptable signature algoritms for public
key authentication, and allows these to be varied via sshd_config(5)
"Match" directives, which are evaluated after the server learns the
username being authenticated.
Full details in the PROTOCOL file
OpenBSD-Commit-ID: 1de7da7f2b6c32a46043d75fcd49b0cbb7db7779
Diffstat (limited to 'PROTOCOL')
-rw-r--r-- | PROTOCOL | 21 |
1 files changed, 20 insertions, 1 deletions
@@ -163,6 +163,25 @@ b) After sending or receiving a SSH2_MSG_NEWKEYS message, reset the duration of the connection (i.e. not just the first SSH2_MSG_NEWKEYS). +1.10 transport: SSH2_MSG_EXT_INFO during user authentication + +This protocol extension allows the SSH2_MSG_EXT_INFO to be sent +during user authentication. RFC8308 does allow a second +SSH2_MSG_EXT_INFO notification, but it may only be sent at the end +of user authentication and this is too late to signal per-user +server signature algorithms. + +Support for receiving the SSH2_MSG_EXT_INFO message during user +authentication is signalled by the client including a +"ext-info-in-auth@openssh.com" key via its initial SSH2_MSG_EXT_INFO +set after the SSH2_MSG_NEWKEYS message. + +A server that supports this extension MAY send a second +SSH2_MSG_EXT_INFO message any time after the client's first +SSH2_MSG_USERAUTH_REQUEST, regardless of whether it succeed or fails. +The client SHOULD be prepared to update the server-sig-algs that +it received during an earlier SSH2_MSG_EXT_INFO with the later one. + 2. Connection protocol changes 2.1. connection: Channel write close extension "eow@openssh.com" @@ -771,4 +790,4 @@ master instance and later clients. OpenSSH extends the usual agent protocol. These changes are documented in the PROTOCOL.agent file. -$OpenBSD: PROTOCOL,v 1.50 2023/12/18 14:45:17 djm Exp $ +$OpenBSD: PROTOCOL,v 1.51 2023/12/18 14:45:49 djm Exp $ |