Re: OpenSSH/scp ->> F-Secure SSH server Problems

[Markus Friedl <Markus.Friedl%informatik.uni-erlangen.de@localhost>]

On Tue, Mar 13, 2001 at 08:25:49PM -0800, Jason R Thorpe wrote:
>  > Well, maybe, but sftp, at least in SSH, currently relies on the
>  > "built-in subsystem" feature.
> 
> Actually, I don't think that's so -- it only needs a bi-directional,
> stream-oriented communication endpoint, right?

yes, you are right.

>  "Subsystem" is merely
> the mechanism that the SSH protocol uses to create that endpoint and
> start the SFTP server.

you could use a "exec" request as well, but then you need to have
sftp-server in the path or know the full pathname on the remote host
(OpenSSH's sftp client allows this as a proof of concept). "subsystem"
just allows an additional level of indirection. it also allows easy
restriction, e.g. a user is allowed to send request only for this
and that subsystem.

> Now, a given implementation may choose to make the SFTP server
> a built-in of the SSH server -- but that is not required.

this is useful if you need tighter control over the 'sftp server process'

> I think the problem is the terminology -- "subsystem" ... I think the
> term "service" would be better ("Hi, please run this service over this
> secure transport"), maybe, but it's probably a little too late to change
> it.

the term "service" is alreay used at a different layer.
currently there are 2 "services" defined:
	"ssh-userauth"
and
	"ssh-connection"

However, I think that the term "connection" is a little bit confusing,
since the "SSH Connection Protocol" draft only talks about "channels", so
it's really a "SSH Channel Protocol" (e.g. draft-ietf-secsh-channel).

-markus