3.1.3 SSH services
The transport layer protocol provides a generic mechanism that let the client request execution of an ssh2 service. Services are identified by textual names so that new ones can be developed. No service is running initially and a single service can run at a given time. The same service needs to run on both sides.
The two other major components of ssh2 are specified as services:
The User Authentication Protocol provides several methods for authentication of the client user. It is specified in rfc4252. Again, user authentication methods are identified by textual names inside the service. This adds an additional level of extensibility and make some packet exchanges specific to the selected authentication method. The most common user authentication methods are password based authentication and public key authentication, but more methods are specified.
The Connection Protocol is designed to transfer data over multiplexed channels as detailed below. This is what the client and server applications commonly use to communicate over ssh2. It is specified in rfc4254 and is described in the next subsection.
Although the transport layer is designed to support any other kind of service, no other services are specified. As a result, most implementations have the two standard services hardwired in the same software component as the transport layer.
Supporting registration of new services allows to take advantage of the ssh2 protocol architecture for new usages. This also enables running alternate implementations of the standard services described above. This is used in the libassh test suite in order to implement odd behavior while testing the real user authentication service running on the other side.
The specification states that a service, typically the Connection Protocol, is run on top of the User Authentication protocol (rfc4252 section 5.1). What actually happens is that the Connection Protocol service is run after the User Authentication Protocol service, provided that the client has requested execution of these two services and did so in that order. The server is free to deny execution of a service.