Context Navigation

source: web/old/remctl-2.14/docs/protocol.txt @ f6f3e91

web

Last change on this file since f6f3e91 was f6f3e91, checked in by Jessica B. Hamrick <jhamrick@…>, 15 years ago
Preserve directory hierarchy (not sure what happened to it)
Property mode set to `100644`
File size: 19.8 KB

Line
1
2
3
4	remctl Protocol R. Allbery
5	Stanford University
6	September 2007
7
8
9	remctl: Remote Authenticated Command Service
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55	Allbery [Page 1]
56
57	remctl September 2007
58
59
60	Abstract
61
62	This document specifies the remctl wire protocol, used to send
63	commands and arguments to a remote system and receive the results of
64	executing that command. The protocol uses GSS-API and Kerberos v5
65	for authentication, confidentiality, and integrity protection. Both
66	the current (version 2) protocol and the older version 1 protocol are
67	described. The version 1 protocol should only be implemented for
68	backward compatibility.
69
70
71	Table of Contents
72
73	1. Basic Packet Format . . . . . . . . . . . . . . . . . . . . . 3
74	2. Network Protocol (version 2) . . . . . . . . . . . . . . . . . 4
75	2.1. Session Sequence . . . . . . . . . . . . . . . . . . . . . 4
76	2.2. Message Format . . . . . . . . . . . . . . . . . . . . . . 5
77	2.3. Protocol Version Negotiation . . . . . . . . . . . . . . . 5
78	2.4. MESSAGE_COMMAND . . . . . . . . . . . . . . . . . . . . . 5
79	2.5. MESSAGE_OUTPUT and MESSAGE_STATUS . . . . . . . . . . . . 7
80	2.6. MESSAGE_ERROR . . . . . . . . . . . . . . . . . . . . . . 7
81	2.7. MESSAGE_QUIT . . . . . . . . . . . . . . . . . . . . . . . 8
82	3. Network Protocol (version 1) . . . . . . . . . . . . . . . . . 9
83	4. Security Considerations . . . . . . . . . . . . . . . . . . . 11
84	Appendix A. Acknowledgements . . . . . . . . . . . . . . . . . . 12
85	Author's Address . . . . . . . . . . . . . . . . . . . . . . . . . 13
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111	Allbery [Page 2]
112
113	remctl September 2007
114
115
116	1. Basic Packet Format
117
118	The remctl network protocol consists of data packets sent from a
119	client to a server or a server to a client over a TCP connection.
120	The remctl protocol may be used over any port, but the IANA-
121	registered port and the RECOMMENDED default for the protocol is 4373.
122	Each data packet has the following format:
123
124	1 octet flags
125	4 octets length
126	<length> data payload
127
128	The total size of each token, including the five octet prefix, MUST
129	NOT be larger than 1,048,576 octets (1MB).
130
131	The flag octet contains one or more of the following values, combined
132	with binary xor:
133
134	0x01 TOKEN_NOOP
135	0x02 TOKEN_CONTEXT
136	0x04 TOKEN_DATA
137	0x08 TOKEN_MIC
138	0x10 TOKEN_CONTEXT_NEXT
139	0x20 TOKEN_SEND_MIC
140	0x40 TOKEN_PROTOCOL
141
142	Only TOKEN_CONTEXT, TOKEN_CONTEXT_NEXT, TOKEN_DATA, and
143	TOKEN_PROTOCOL are used for version 2 packets. The other flags are
144	used only with the legacy version 1 protocol.
145
146	The length field is a four-octet length in network byte order,
147	specifying the number of octets in the following data payload.
148
149	The data payload is empty, the results of gss_accept_sec_context, the
150	results of gss_init_sec_context, or a data payload protected with
151	gss_wrap. The length of the data passed to gss_wrap MUST NOT be
152	larger than 65,536 octets (64KB), even if the underlying Kerberos
153	implementation supports longer input buffers.
154
155
156
157
158
159
160
161
162
163
164
165
166
167	Allbery [Page 3]
168
169	remctl September 2007
170
171
172	2. Network Protocol (version 2)
173
174	2.1. Session Sequence
175
176	A remctl connection is always initiated by a client opening a TCP
177	connection to a server. The protocol then proceeds as follows:
178
179	1. Client sends message with an empty payload and flags TOKEN_NOOP,
180	TOKEN_CONTEXT_NEXT, and TOKEN_PROTOCOL (0x51). If the client
181	doesn't include TOKEN_PROTOCOL, it is speaking the version 1
182	protocol, and the server MUST either drop the connection or fall
183	back to the version 1 protocol. This initial message is useless
184	in a pure version 2 protocol world and is done only for backward
185	compatibility with the version 1 protocol.
186
187	2. Client calls gss_init_sec_context and replies with the results
188	and TOKEN_CONTEXT and TOKEN_PROTOCOL (0x42). The client MUST
189	pass GSS_C_MUTUAL_FLAG, GSS_C_CONF_FLAG, and GSS_C_INTEG_FLAG as
190	requested flags and SHOULD pass GSS_C_REPLAY_FLAG and
191	GSS_C_SEQUENCE_FLAG.
192
193	3. Server replies with the results of gss_accept_sec_context and
194	flags TOKEN_CONTEXT and TOKEN_PROTOCOL (0x42). If the server
195	doesn't include TOKEN_PROTOCOL in the flags, it is speaking the
196	version 1 protocol, and the client MUST either drop the
197	connection or fall back to the version 1 protocol.
198
199	4. Client passes data to gss_init_sec_context and replies with the
200	results and TOKEN_CONTEXT and TOKEN_PROTOCOL (0x42). The client
201	must pass GSS_C_MUTUAL_FLAG, GSS_C_CONF_FLAG, and
202	GSS_C_INTEG_FLAG as requested flags and SHOULD pass
203	GSS_C_REPLAY_FLAG and GSS_C_SEQUENCE_FLAG.
204
205	5. Server and client repeat, passing in the payload from the last
206	packet from the other side, for as long as GSS-API indicates that
207	continuation is required. If either side drops TOKEN_PROTOCOL
208	from the flags, it is an considered an error and the connect MUST
209	be dropped. (This could be a down-negotiation attack.) After
210	the establishment of the security context, both client and server
211	MUST confirm that GSS_C_MUTUAL_FLAG, GSS_C_CONF_FLAG, and
212	GSS_C_INTEG_FLAG are set in the resulting security context and
213	MUST immediately close the connection if this is not the case.
214
215	6. After the security context has been established, the client and
216	server exchange commands and responses as described below. All
217	commands are sent with flags TOKEN_DATA and TOKEN_PROTOCOL (0x44)
218	and the data payload of all packets is protected with gss_wrap.
219	The conf_req_flag parameter of gss_wrap MUST be set to non-zero,
220
221
222
223	Allbery [Page 4]
224
225	remctl September 2007
226
227
228	requesting both confidentiality and integrity services.
229
230	2.2. Message Format
231
232	All client and server messages will use the following format inside
233	the data payload. This is the format of the message before passing
234	it to gss_wrap for confidentiality and integrity protection.
235
236	1 octet protocol version
237	1 octet message type
238	<command-specific data>
239
240	The protocol version for the version 2 protocol is 2. (Note that the
241	version 1 protocol does not use this message format, and therefore a
242	protocol version of 1 is invalid.) See below for protocol version
243	negotiation.
244
245	The message type is one of the following constants:
246
247	1 MESSAGE_COMMAND
248	2 MESSAGE_QUIT
249	3 MESSAGE_OUTPUT
250	4 MESSAGE_STATUS
251	5 MESSAGE_ERROR
252	6 MESSAGE_VERSION
253
254	The first two message types are client messages and MUST NOT be sent
255	by the server. The remaining message types are server messages and
256	MUST NOT by sent by the client.
257
258	2.3. Protocol Version Negotiation
259
260	If the server ever receives a message from a client that claims a
261	protocol version higher than the server supports, the server MUST
262	otherwise ignore the contents of the message and SHOULD respond with
263	a message type of MESSAGE_VERSION and the following message payload:
264
265	1 octet highest supported version
266
267	The client MUST then either send only messages supported at that
268	protocol version or lower or send MESSAGE_QUIT and close the
269	connection.
270
271	2.4. MESSAGE_COMMAND
272
273	Most client messages will be of type MESSAGE_COMMAND, which has the
274	following format:
275
276
277
278
279	Allbery [Page 5]
280
281	remctl September 2007
282
283
284	1 octet keep-alive flag
285	1 octet continue status
286	4 octets number of arguments
287	4 octets argument length
288	<length> argument
289	...
290
291	If the keep-alive flag is 0, the server SHOULD close the connection
292	after processing the command. If it is 1, the server SHOULD leave
293	the connection open (up to a timeout period) and wait for more
294	commands. This is similar to HTTP keep-alive.
295
296	If the continue status is 1, it indicates that there is more data
297	coming. The server should accept the data sent, buffer or process
298	it, and wait for more data before responding. If the the continue
299	status is 2, it indicates that this message is logically a part of
300	the previous message (which MUST have had a continue status of 1 or
301	2) and still has more data coming. If the continue status is 3, it
302	says that this message is logically part of the previous message,
303	like 2, but it also says that this is the end of the command.
304
305	A continuation of a message starts with the keep-alive flag and
306	continue status and then the next chunk of data. To reconstruct a
307	continued message, remove the first two octets from each chunk and
308	concatenate the pieces together. The result is the portion of a
309	MESSAGE_COMMAND starting with the number of arguments. Messages may
310	be broken into multiple MESSAGE_COMMANDs even in the middle of the
311	number of arguments or an argument length. In other words, the first
312	three octets of the number of arguments could be in the first
313	MESSAGE_COMMAND (with continue status 1) and the last octet would
314	then be in the next MESSAGE_COMMAND (with continue status 2 or 3).
315
316	Number of arguments is a four-octet number in network byte order that
317	gives the total number of command arguments. For each argument,
318	there is then a length and argument data pair, where the length is a
319	four-octet number in network byte order indicating the number of
320	octets of data in the following argument. Argument length may be 0.
321	Commands with no arguments are permitted by the protocol.
322
323	Servers may impose limits on the number of arguments and the size of
324	argument data to limit resource usage. If the client message exceeds
325	one of those limits, the server MUST respond with MESSAGE_ERROR with
326	an error code of ERROR_TOOMANY_ARGS or ERROR_TOOMUCH_DATA as
327	appropriate.
328
329
330
331
332
333
334
335	Allbery [Page 6]
336
337	remctl September 2007
338
339
340	2.5. MESSAGE_OUTPUT and MESSAGE_STATUS
341
342	The server response to MESSAGE_COMMAND is zero or more MESSAGE_OUTPUT
343	messages followed by either a MESSAGE_STATUS or a MESSAGE_ERROR
344	response. Each MESSAGE_OUTPUT message has the following format:
345
346	1 octet output stream
347	4 octets output length
348	<length> output
349
350	The output stream is either 1 for standard output or 2 for standard
351	error. Output length is a four-octet number in network byte order
352	that specifies the length of the following output data.
353
354	The MESSAGE_STATUS message has the following format:
355
356	1 octet exit status
357
358	MESSAGE_STATUS indicates the command has finished and returns the
359	final exit stauts of the command. Exit status is 0 for success and
360	non-zero for failure, where the meaning of non-zero exit statuses is
361	left to the application to define. (This is identical to a Unix
362	command exit status.)
363
364	Unless the MESSAGE_COMMAND message from the client had the keep-alive
365	flag set to 1, the server MUST close the network connection
366	immediately after sending the MESSAGE_STATUS response message.
367
368	2.6. MESSAGE_ERROR
369
370	At any point before sending MESSAGE_STATUS, the server may respond
371	with MESSAGE_ERROR if some error occurred. This can be the first
372	response after a MESSAGE_COMMAND, or it may be sent after one or more
373	MESSAGE_OUTPUT messages. The format of MESSAGE_ERROR is as follows:
374
375	4 octets error code
376	4 octets message length
377	<length> error message
378
379	The error code is a four-octet number in network byte order
380	indicating the type of error. The error code may be one of the
381	following values:
382
383
384
385
386
387
388
389
390
391	Allbery [Page 7]
392
393	remctl September 2007
394
395
396	1 ERROR_INTERNAL Internal server failure
397	2 ERROR_BAD_TOKEN Invalid format in token
398	3 ERROR_UNKNOWN_MESSAGE Unknown message type
399	4 ERROR_BAD_COMMAND Invalid command format in token
400	5 ERROR_UNKNOWN_COMMAND Unknown command
401	6 ERROR_ACCESS Access denied
402	7 ERROR_TOOMANY_ARGS Argument count exceeds server limit
403	8 ERROR_TOOMUCH_DATA Argument size exceeds server limit
404
405	Additional error codes may be added without changing the version of
406	the remctl protocol, so clients MUST accept error codes other than
407	the ones above.
408
409	The message length is a four-octet number in network byte order that
410	specifies the length in octets of the following error message. The
411	error message is a free-form informational message intended for human
412	consumption and MUST NOT be interpreted by an automated process.
413	Software should instead use the error code.
414
415	Unless the MESSAGE_COMMAND message from the client had the keep-alive
416	flag set to 1, the server MUST close the network connection
417	immediately after sending the MESSAGE_ERROR response message.
418	Otherwise, the server SHOULD still honor that flag, although the
419	server MAY terminate the connection after an unreasonable number of
420	errors.
421
422	2.7. MESSAGE_QUIT
423
424	MESSAGE_QUIT is a way of terminating the connection cleanly if the
425	client asked for keep-alive and then decided not to use it. There is
426	no message body. Upon receiving this message, the server MUST
427	immediately close the connection.
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447	Allbery [Page 8]
448
449	remctl September 2007
450
451
452	3. Network Protocol (version 1)
453
454	The old network protocol supported only 64KB of data payload, only a
455	single command and response, and had some additional unnecessary
456	protocol components. It SHOULD NOT be used by clients, but MAY be
457	supported by servers for backward compatibility. It is recognized by
458	the server and client by the lack of TOKEN_PROTOCOL in the flags of
459	the initial security context negotiation.
460
461	The old protocol always uses the following steps:
462
463	1. Client opens TCP connection to server.
464
465	2. Client sends message with flags TOKEN_NOOP and
466	TOKEN_CONTEXT_NEXT and an empty payload.
467
468	3. Client calls gss_init_sec_context and sends message with the
469	results and flags TOKEN_CONTEXT. The client MUST pass
470	GSS_C_MUTUAL_FLAG, GSS_C_CONF_FLAG, and GSS_C_INTEG_FLAG as
471	requested flags and SHOULD pass GSS_C_REPLAY_FLAG and
472	GSS_C_SEQUENCE_FLAG, although the version one protocol does not
473	check the results of this negotiation.
474
475	4. Server replies with the results of gss_accept_sec_context and
476	flags TOKEN_CONTEXT.
477
478	5. Client calls gss_init_sec_context again with the data from the
479	server and replies with the results and flags TOKEN_CONTEXT,
480	using the same requested flags as described above.
481
482	6. Server and client repeat, passing in the payload from the last
483	packet from the other side, for as long as GSS-API indicates
484	that continuation is required. Each of these packets have only
485	TOKEN_CONTEXT set in the flags.
486
487	7. Client sends command with flags TOKEN_DATA and TOKEN_SEND_MIC
488	and the following payload format: four-octet number of
489	arguments, and then for each argument, a four-octet length and
490	then the argument value. All numbers are in network type order.
491	The payload MUST be protected with gss_wrap and the
492	conf_req_flag parameter of gss_wrap MUST be set to non-zero,
493	requesting both confidentiality and integrity services.
494
495	8. Server accepts and decrypts data, generates a MIC with
496	gss_get_mic, and sends the MIC back to the client with flags
497	TOKEN_MIC. This is the only packet that isn't encrypted with
498	gss_wrap. Client receives and then SHOULD verify this MIC.
499
500
501
502
503	Allbery [Page 9]
504
505	remctl September 2007
506
507
508	9. Server runs the command, collects the output, and sends the
509	output back with flags TOKEN_DATA and the following payload
510	format: four-octet exit status, four-octet data length, data.
511	All numbers are in network byte order. The exit status is 0 if
512	there were no errors and non-zero otherwise, where the meaning
513	of non-zero values are defined by the application. The payload
514	MUST be protected with gss_wrap with a conf_req_flag set to non-
515	zero.
516
517	10. Server and client close connection.
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559	Allbery [Page 10]
560
561	remctl September 2007
562
563
564	4. Security Considerations
565
566	It would be preferrable to insist on replay and sequence protection
567	(GSS_C_REPLAY_FLAG and GSS_C_SEQUENCE_FLAG) for all contexts, but
568	some older Kerberos GSS-API implementations don't support this and
569	hence it is not mandatory in the protocol. Clients SHOULD always
570	request replay and sequence protection, however, and servers MAY
571	require such protection be negotiated.
572
573	The old protocol doesn't provide integrity protection for the flags,
574	but since it always follows the same fixed sequence of operations,
575	this should pose no security concerns in practice. The new protocol
576	only uses the flag field outside of the encrypted section of the
577	packet for initial negotiation and closes the connection if the flags
578	aren't what was expected (avoiding a down-negotiation attack).
579
580	In the old protocol, the server calculated and sent a MIC back to the
581	client, which then verified that the command as received by the
582	server was correct. Not only does GSS-API already provide integrity
583	protection, but this verification also happens after the server has
584	already started running the command. It has been dropped in the new
585	protocol.
586
587	The old protocol doesn't require the client and server check the
588	results of the GSS-API flag negotiation, although all old protocol
589	clients passed GSS_C_MUTUAL_FLAG. However, the old protocol requires
590	gss_wrap be used for all payload with conf_req_flag set to non-zero,
591	so any context that didn't negotiate confidentiality and integrity
592	services would fail later.
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615	Allbery [Page 11]
616
617	remctl September 2007
618
619
620	Appendix A. Acknowledgements
621
622	The original remctl protocol design was done by Anton Ushakov, with
623	input from Russ Allbery and Roland Schemers. Thank you to David
624	Hoffman and Mike Newton for their review of the version 2 remctl
625	protocol.
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671	Allbery [Page 12]
672
673	remctl September 2007
674
675
676	Author's Address
677
678	Russ Allbery
679	Stanford University
680	255 Panama Street, MC 4136
681	Stanford, CA 94305-4136
682	US
683
684	Email: rra@stanford.edu
685	URI: http://www.eyrie.org/~eagle/
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727	Allbery [Page 13]
728

Note: See TracBrowser for help on using the repository browser.

Download in other formats: