|firstname.lastname@example.org <email@example.com>||2015-01-26 03:04:45 +0000|
|committer||Damien Miller <firstname.lastname@example.org>||2015-01-27 00:00:57 +1100|
Host key rotation support. Add a email@example.com protocol extension (global request) for a server to inform a client of all its available host key after authentication has completed. The client may record the keys in known_hosts, allowing it to upgrade to better host key algorithms and a server to gracefully rotate its keys. The client side of this is controlled by a UpdateHostkeys config option (default on). ok markus@
Diffstat (limited to 'PROTOCOL')
1 files changed, 23 insertions, 1 deletions
@@ -282,6 +282,28 @@ by the client cancel the forwarding of a Unix domain socket.
string socket path
+2.5. connection: hostkey update and rotation "firstname.lastname@example.org"
+OpenSSH supports a protocol extension allowing a server to inform
+a client of all its protocol v.2 hostkeys after user-authentication
+ byte SSH_MSG_GLOBAL_REQUEST
+ string "email@example.com"
+ string hostkeys
+Upon receiving this message, a client may update its known_hosts
+file, adding keys that it has not seen before and deleting keys
+for the server host that are no longer offered.
+This extension allows a client to learn key types that it had
+not previously encountered, thereby allowing it to potentially
+upgrade from weaker key algorithms to better ones. It also
+supports graceful key rotation: a server may offer multiple keys
+of the same type for a period (to give clients an opportunity to
+learn them using this extension) before removing the deprecated
+key from those offered.
3. SFTP protocol changes
3.1. sftp: Reversal of arguments to SSH_FXP_SYMLINK
@@ -406,4 +428,4 @@ respond with a SSH_FXP_STATUS message.
This extension is advertised in the SSH_FXP_VERSION hello with version
-$OpenBSD: PROTOCOL,v 1.24 2014/07/15 15:54:14 millert Exp $
+$OpenBSD: PROTOCOL,v 1.25 2015/01/26 03:04:45 djm Exp $