IETF-SSH archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: last-call issues..



Markus Friedl writes:
> no. it's an issue of how your sftp-server implementation
> and your sshd talk to each other. the can exchange as many
> cookies as they like before speaking the sftp protocol.
> the sftp _protocol_ does not need to be touched.

I don't really understand what you are saying above. The
transport/connection layer client will talk to transport/connection
layer server. The sftp-client will talk to sftp-server. The
sftp-client/server will NOT talk to the transport/connection layer
server nor client.

The transport/connection layer just assumes that when the subsystem is
started then everything is up to the subsystem to take care of the
input/output, it does not do anything else than pass those bytes from
server to client and vice versa.

The subsystem can assume that it has some connection between the
server and client, and the connection might be transport/connection
layer, but it might be rsh, tls, tcp/ip socket or anything. This
connection is completely transparent, i.e all characters goes thru.

The problem is that in quite common case there is some extra junk
involved before the actual protocol starts (linefeeds, some
warning/debug messages etc), and if the subsystem protocol has clear
and good design it can be ignore that junk, and start processing its
own messages only when it sees for example the version number exchange 
packet from the other end.

> the server implementing sftp can print what ever cookies
> it likes and the sshd has to filter the cookies out.
> but this is not a _protocol_ issue.

If we make it that way, then each subsystem implementation is tied to
each connection layer implementation, i.e you cannot take SSH
Communications Security's sftp-server and run it using lsh server,
because the lsh does not know which kind of cookies the sftp-server is 
going to use.

If we define that it is good protocol desing in the subsystems to
exchange version number etc any fixed packet in the beginning, which
can be used as a "magic cookie", then when the sftp-server of the SSH
Communications Security sends this packet the other ends client can
ignore everything until it sees this byte stream coming from the
connection. The transport/connection layer between does not have to
know anything about the subsystems, the subsystems must know about
each other. 
-- 
kivinen%ssh.fi@localhost                               Work : +358 303 9870
SSH Communications Security                  http://www.ssh.fi/
SSH IPSEC Toolkit                            http://www.ssh.fi/ipsec/



Home | Main Index | Thread Index | Old Index