IETF-SSH archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
SSH URI Draft
Hello,
Attached is a revised draft of the SSH URI proposal.
This draft removes the SCP and SFTP URI sections, adds an example, and
updates the status of some of the references as well as changes for new
IETF requirements, among other changes.
Please let me know any feedback on the draft. After a short period I'll
be submitting it to the IETF.
Note that this draft is currently named as an individual submission. If
we find that it should go within another WG then it may be renamed as
appropriate.
Here are previous drafts:
http://tools.ietf.org/wg/secsh/draft-ietf-secsh-scp-sftp-ssh-uri/
Steve
Network Working Group J. Salowey
Internet-Draft Cisco Systems
Intended Status: Proposed Standard S. Suehring
Expires: April 9, 2010 October 6, 2009
Uniform Resource Identifier (URI) Scheme for Secure Shell (SSH)
draft-suehring-sshuri-00.txt
Status of this Memo
This Internet-Draft is submitted to IETF in full conformance with the
provisions of BCP 78 and BCP 79. This document may contain material
from IETF Documents or IETF Contributions published or made publicly
available before November 10, 2008. The person(s) controlling the
copyright in some of this material may not have granted the IETF
Trust the right to allow modifications of such material outside the
IETF Standards Process. Without obtaining an adequate license from
the person(s) controlling the copyright in such materials, this
document may not be modified outside the IETF Standards Process, and
derivative works of it may not be created outside the IETF Standards
Process, except to format it for publication as an RFC or to
translate it into languages other than English.
Internet-Drafts are working documents of the Internet Engineering
Task Force (IETF), its areas, and its working groups. Note that
other groups may also distribute working documents as Internet-
Drafts.
Internet-Drafts are draft documents valid for a maximum of six months
and may be updated, replaced, or obsoleted by other documents at any
time. It is inappropriate to use Internet-Drafts as reference
material or to cite them other than as "work in progress."
The list of current Internet-Drafts can be accessed at
http://www.ietf.org/ietf/1id-abstracts.txt.
The list of Internet-Draft Shadow Directories can be accessed at
http://www.ietf.org/shadow.html.
Abstract
This document describes the Uniform Resource Identifiers used to
locate resources for the Secure Shell (SSH) protocol. The document
describes the generic syntax involved in URI definitions as well as
specific definitions for the protocol. The specific definition
may include user credentials such as username and also may include
other parameters such as host key fingerprint. In addition,
security considerations and examples are also provided within this
document.
Salowey & Suehring Expires April 9, 2010 [Page 1]
�
Internet-Draft URI Scheme for SSH October 2009
Table of Contents
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . 3
2. Conventions Used in This Document. . . . . . . . . . . . . . 3
3. General Syntax . . . . . . . . . . . . . . . . . . . . . . . 3
4. Secure Shell (SSH) URI . . . . . . . . . . . . . . . . . . . 3
4.1 Scheme Name . . . . . . . . . . . . . . . . . . . . . . . 3
4.2 Status . . . . . . . . . . . . . . . . . . . . . . . . . . 3
4.3 URI Scheme Syntax . . . . . . . . . . . . . . . . . . . . 3
4.4 URI Semantics . . . . . . . . . . . . . . . . . . . . . . 4
4.5 Encoding Considerations . . . . . . . . . . . . . . . . . 4
4.6 Protocols using this URI scheme . . . . . . . . . . . . . 4
4.7 Security Considerations . . . . . . . . . . . . . . . . . 4
4.8 Contact . . . . . . . . . . . . . . . . . . . . . . . . . 5
5. Parameters . . . . . . . . . . . . . . . . . . . . . . . . . 5
5.1 SSH connection parameters . . . . . . . . . . . . . . . . 5
6. Examples . . . . . . . . . . . . . . . . . . . . . . . . . . 5
7. IANA Considerations . . . . . . . . . . . . . . . . . . . . 6
8. Security Considerations . . . . . . . . . . . . . . . . . . 6
9. Acknowledgements . . . . . . . . . . . . . . . . . . . . . . 6
10. References . .. . . . . . . . . . . . . . . . . . . . . . . 7
10.1 Normative References . .. . . . . . . . . . . . . . . . 7
10.2 Informative References . . . . . . . . . . . . . . . . 7
Authors' Addresses . . . . . . . . . . . . . . . . . . . . . 7
Intellectual Property and Copyright Statements . . . . . . . 8
Salowey & Suehring Expires April 9, 2010 [Page 2]
�
Internet-Draft URI Scheme for SSH October 2009
1. Introduction
This document describes the Uniform Resource Identifiers (URIs) to be
used with the Secure Shell (SSH) [RFC4251] protocol.
2. Conventions Used in This Document
The key words "MUST", "MUST NOT", "REQUIRED", "SHALL", "SHALL NOT",
"SHOULD", "SHOULD NOT", "RECOMMENDED", "MAY", and "OPTIONAL" in
this document are to be interpreted as described in RFC 2119.
3. General Syntax
A hierarchical URI shall consist of the scheme and the scheme
specific portion separated by a colon ":" followed by the
hierarchical part, as discussed in [RFC3986]. This specification
uses the definitions "port", "host", "scheme", "userinfo", "path-
empty", "path-abempty" and "authority" from [RFC3986]. This document
follows the ABNF notation defined in [RFC5234].
4. Secure Shell (SSH) URI
This section describes the SSH URI and contains the information
necessary to register the URI according to the template in [RFC4395].
4.1 Scheme Name
The Secure Shell scheme name is "ssh".
4.2 Status
The requested status of the SSH URI is "permanent".
4.3 URI Scheme Syntax
The Secure Shell (SSH) scheme shall consist of the scheme name "ssh"
followed by a colon ":" followed by hier-part defined in [RFC3986].
The SSH URI ABNF definition follows.
sshURI = "ssh:" hier-part
hier-part = "//" authority path-abempty
authority = [ [ ssh-info ] "@" ] host [ ":" port ]
host = <as specified in [RFC3986]>
port = <as specified in [RFC3986]>
path-abempty = <as specified in [RFC3986]>
ssh-info = [ userinfo ] [";" c-param *("," c-param)]
userinfo = <as specified in [RFC3986]>
c-param = paramname "=" paramvalue
paramname = *( ALPHA / DIGIT / "-" )
paramvalue = *( ALPHA / DIGIT / "-" )
Salowey & Suehring Expires April 9, 2010 [Page 3]
�
Internet-Draft URI Scheme for SSH October 2009
The following reserved characters from [RFC3986] are used as
delimiters within the SSH URI: ";", ",", ":", "=", and "/". They
must not be escaped when used as delimiters and must be escaped when
the appear in other uses.
4.4 URI Semantics
The intended usage of the SSH URI is to establish an interactive SSH
terminal session with the host defined in the authority portion of
the URI. The only operation defined for the URI is to establish an
SSH terminal session with a remote host.
If the userinfo or connection parameters are present the at-sign "@"
shall precede the authority section of the URI. Optionally, the
authority section MAY also include the port preceded by a colon ":".
The host SHOULD be a non-empty string. If the port is not included,
the default port is assumed.
The ssh-info portion of the URI MAY include credentials consisting of
a username followed by optional parameters. The convention of
including the password separated from the username by a ":" in the
URI is NOT RECOMMENDED and is deprecated in accordance with
[RFC3986].
One or more optional connection parameters (c-param) may be specified
within the userinfo section of the URI. These conn-parameters are
separated from the userinfo by a semi-colon ";". The only connection
parameter defined in this document is for the host-key fingerprint
described in Section 4.1. It is possible that additional parameters
be defined in the future. If a connection parameter is not
understood it SHOULD be ignored.
The SSH URI does not define a usage for a non-empty path element. If
a non-empty path element is included in an SSH URI then it SHOULD be
ignored.
4.5 Encoding Considerations
The encoding of the "host" portion of the URI is as defined in
[RFC3986]. The encoding of the connection parameters is described in
Section 4.1
4.6 Protocols using this URI scheme
This URI scheme is used by the SSH protocol version 2 defined in
[RFC4251].
4.7 Security Considerations
See Section 7.
Salowey & Suehring Expires April 9, 2010 [Page 4]
�
Internet-Draft URI Scheme for SSH October 2009
4.8 Contact
This document is a product of the SSH working group.
5. Parameters
5.1 SSH connection parameters
The following parameters are associated with an SSH connection. All
parameters are optional and MUST NOT overwrite configured defaults.
Individual parameters are separated by a comma (",").
fingerprint
The fingerprint parameter contains the fingerprint of the host key
for the host specified in the URI. The fingerprint is encoded as
host-key-alg-fingerprint. Host-key-alg is host public key
algorithm defined in [RFC4253] and the fingerprint format is
[RFC4716]. For use in a URI, the fingerprint shall use a single
dash "-" as a separator instead of the colon ":" as described in
[RFC4716]. This parameter MUST NOT overwrite a key that is
already configured for the host. The fingerprint MAY be used to
validate the authenticity of the host key if the URI was obtained
from an authenticated source with its integrity protected. If
this parameter is not included then the host key is validated
using another method. See Security Considerations section for
additional considerations. There MUST be only one fingerprint
parameter present in a given URI.
6. Examples
The following section shows basic examples of URIs. This section
should not be considered to include all possible combinations of
URIs for each protocol.
An SSH connection to the host host.example.com on the standard port.
ssh://host.example.com
An SSH connection to the host host.example.com on the standard port
using username user.
ssh://user%host.example.com@localhost
An SSH connection to the host host.example.com on port 2222 using
username user.
ssh://user%host.example.com@localhost:2222
An SSH connection to the host having the specified host-key
Salowey & Suehring Expires April 9, 2010 [Page 5]
�
Internet-Draft URI Scheme for SSH October 2009
fingerprint at host.example.com on the standard port using username
user.
ssh://user;fingerprint=ssh-dss-c1-b1-30-29-d7-b8-de-6c-97-
77-10-d7-46-41-63-87%host.example.com@localhost
7. IANA Considerations
Section 3 provides the information required in the URI registration
template in accordance with [RFC4395].
8. Security Considerations
Passwords SHOULD NOT be included within the URI as doing so poses a
security risk. URIs are usually sent in the clear with no encryption
or other security, any password or other credentials included in the
userinfo could be seen by a potential attacker.
Although the host-key fingerprint is not confidential information,
care must be taken in handling fingerprints associated with URIs
because URIs transmitted or stored without protection may be modified
by an attacker. In general an implementation cannot determine the
source of a URI so a fingerprint received in a URI should have no
more trust associated with it than a raw public key received in the
SSH protocol itself. If a locally configured key exists for the
server already it MUST NOT be automatically overwritten with
information from the URI. If the host is unknown then the
implementation should treat the fingerprint received with the same
caution that it does with any unknown public key. The client MAY
offer the fingerprint and URI for external validation before allowing
a connection based on this information. If the client chooses to
make a connection based on the URI information and it finds that the
fingerprint in the URI and the public key offered by the server do
not match then it SHOULD provide a warning and provide a means to
abort the connection. Sections 4.1 and 9.2.4 of [RFC4251] provide a
good discussion of handling public keys received in the SSH protocol.
9. Acknowledgements
Ben Harris, Tom Petch and the members of the SSH working group have
provided much useful feedback in the preparation of this document.
Salowey & Suehring Expires April 9, 2010 [Page 6]
�
Internet-Draft URI Scheme for SSH October 2009
10. References
10.1 Normative References
[RFC4716]
Galbraith, J. and R. Thayer, "The Secure Shell (SSH)
Public Key File Format", RFC 4716, November 2006.
[RFC3986] Berners-Lee, T., Fielding, R., and L. Masinter, "Uniform
Resource Identifier (URI): Generic Syntax", STD 66,
RFC 3986, January 2005.
[RFC5234] Crocker, D. and P. Overell, "Augmented BNF for Syntax
Specifications: ABNF", RFC 5234, October 2005.
[RFC4251] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Protocol Architecture", RFC 4251, January 2006.
[RFC4253] Ylonen, T. and C. Lonvick, "The Secure Shell (SSH)
Transport Layer Protocol", RFC 4253, January 2006.
10.2 Informative References
[RFC4395]
Hansen, T., "Guidelines and Registration Procedures for
new URI Schemes", RFC 4395, February 2006.
Authors' Addresses
Joseph Salowey
Cisco Systems
2901 3rd Ave
Seattle, WA 98121
US
Email: jsalowey%cisco.com@localhost
Steve Suehring
PO BOX 1033
Stevens Point, WI 54481
US
Email: suehring%braingia.com@localhost
Salowey & Suehring Expires April 9, 2010 [Page 7]
�
Internet-Draft URI Scheme for SSH October 2009
Copyright and License Notice
Copyright (c) 2009 IETF Trust and the persons identified as the
document authors. All rights reserved.
This document is subject to BCP 78 and the IETF Trust's Legal
Provisions Relating to IETF Documents in effect on the date of
publication of this document (http://trustee.ietf.org/license-info).
Please review these documents carefully, as they describe your rights
and restrictions with respect to this document.
This document and the information contained herein are provided
on an "AS IS" basis and THE CONTRIBUTOR, THE ORGANIZATION HE/SHE
REPRESENTS OR IS SPONSORED BY (IF ANY), THE INTERNET SOCIETY, IETF
TRUST AND THE INTERNET ENGINEERING TASK FORCE DISCLAIM ALL
WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE
ANY RIGHTS OR ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS
FOR A PARTICULAR PURPOSE.
Salowey & Suehring Expires April 9, 2010 [Page 8]
�
Home |
Main Index |
Thread Index |
Old Index