summaryrefslogtreecommitdiff
path: root/PROTOCOL.agent
diff options
context:
space:
mode:
authorDamien Miller <djm@mindrot.org>2010-08-31 22:41:14 +1000
committerDamien Miller <djm@mindrot.org>2010-08-31 22:41:14 +1000
commiteb8b60e320cdade9f4c07e2abacfb92c52e01348 (patch)
tree4e5bc25790566402e5b7ae00cefd2c57e867ef09 /PROTOCOL.agent
parentda108ece6843f1268aa36d7c8ed0030dc53acd15 (diff)
- djm@cvs.openbsd.org 2010/08/31 11:54:45
[PROTOCOL PROTOCOL.agent PROTOCOL.certkeys auth2-jpake.c authfd.c] [authfile.c buffer.h dns.c kex.c kex.h key.c key.h monitor.c] [monitor_wrap.c myproposal.h packet.c packet.h pathnames.h readconf.c] [ssh-add.1 ssh-add.c ssh-agent.1 ssh-agent.c ssh-keygen.1 ssh-keygen.c] [ssh-keyscan.1 ssh-keyscan.c ssh-keysign.8 ssh.1 ssh.c ssh2.h] [ssh_config.5 sshconnect.c sshconnect2.c sshd.8 sshd.c sshd_config.5] [uuencode.c uuencode.h bufec.c kexecdh.c kexecdhc.c kexecdhs.c ssh-ecdsa.c] Implement Elliptic Curve Cryptography modes for key exchange (ECDH) and host/user keys (ECDSA) as specified by RFC5656. ECDH and ECDSA offer better performance than plain DH and DSA at the same equivalent symmetric key length, as well as much shorter keys. Only the mandatory sections of RFC5656 are implemented, specifically the three REQUIRED curves nistp256, nistp384 and nistp521 and only ECDH and ECDSA. Point compression (optional in RFC5656 is NOT implemented). Certificate host and user keys using the new ECDSA key types are supported. Note that this code has not been tested for interoperability and may be subject to change. feedback and ok markus@
Diffstat (limited to 'PROTOCOL.agent')
-rw-r--r--PROTOCOL.agent44
1 files changed, 33 insertions, 11 deletions
diff --git a/PROTOCOL.agent b/PROTOCOL.agent
index b34fcd318..de94d037d 100644
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@@ -159,8 +159,8 @@ successfully added or a SSH_AGENT_FAILURE if an error occurred.
159 159
1602.2.3 Add protocol 2 key 1602.2.3 Add protocol 2 key
161 161
162The OpenSSH agent supports DSA and RSA keys for protocol 2. DSA keys may 162The OpenSSH agent supports DSA, ECDSA and RSA keys for protocol 2. DSA
163be added using the following request 163keys may be added using the following request
164 164
165 byte SSH2_AGENTC_ADD_IDENTITY or 165 byte SSH2_AGENTC_ADD_IDENTITY or
166 SSH2_AGENTC_ADD_ID_CONSTRAINED 166 SSH2_AGENTC_ADD_ID_CONSTRAINED
@@ -182,6 +182,30 @@ DSA certificates may be added with:
182 string key_comment 182 string key_comment
183 constraint[] key_constraints 183 constraint[] key_constraints
184 184
185ECDSA keys may be added using the following request
186
187 byte SSH2_AGENTC_ADD_IDENTITY or
188 SSH2_AGENTC_ADD_ID_CONSTRAINED
189 string "ecdsa-sha2-nistp256" |
190 "ecdsa-sha2-nistp384" |
191 "ecdsa-sha2-nistp521"
192 string ecdsa_curve_name
193 string ecdsa_public_key
194 mpint ecdsa_private
195 string key_comment
196 constraint[] key_constraints
197
198ECDSA certificates may be added with:
199 byte SSH2_AGENTC_ADD_IDENTITY or
200 SSH2_AGENTC_ADD_ID_CONSTRAINED
201 string "ecdsa-sha2-nistp256-cert-v01@openssh.com" |
202 "ecdsa-sha2-nistp384-cert-v01@openssh.com" |
203 "ecdsa-sha2-nistp521-cert-v01@openssh.com"
204 string certificate
205 mpint ecdsa_private_key
206 string key_comment
207 constraint[] key_constraints
208
185RSA keys may be added with this request: 209RSA keys may be added with this request:
186 210
187 byte SSH2_AGENTC_ADD_IDENTITY or 211 byte SSH2_AGENTC_ADD_IDENTITY or
@@ -214,7 +238,7 @@ order to the protocol 1 add keys message. As with the corresponding
214protocol 1 "add key" request, the private key is overspecified to avoid 238protocol 1 "add key" request, the private key is overspecified to avoid
215redundant processing. 239redundant processing.
216 240
217For both DSA and RSA key add requests, "key_constraints" may only be 241For DSA, ECDSA and RSA key add requests, "key_constraints" may only be
218present if the request type is SSH2_AGENTC_ADD_ID_CONSTRAINED. 242present if the request type is SSH2_AGENTC_ADD_ID_CONSTRAINED.
219 243
220The agent will reply with a SSH_AGENT_SUCCESS if the key has been 244The agent will reply with a SSH_AGENT_SUCCESS if the key has been
@@ -294,8 +318,7 @@ Protocol 2 keys may be removed with the following request:
294 string key_blob 318 string key_blob
295 319
296Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key 320Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
297Algorithms" for either of the supported key types: "ssh-dss" or 321Algorithms" for any of the supported protocol 2 key types.
298"ssh-rsa".
299 322
300The agent will delete any private key matching the specified public key 323The agent will delete any private key matching the specified public key
301and return SSH_AGENT_SUCCESS. If no such key was found, the agent will 324and return SSH_AGENT_SUCCESS. If no such key was found, the agent will
@@ -364,8 +387,7 @@ Followed by zero or more consecutive keys, encoded as:
364 string key_comment 387 string key_comment
365 388
366Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key 389Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
367Algorithms" for either of the supported key types: "ssh-dss" or 390Algorithms" for any of the supported protocol 2 key types.
368"ssh-rsa".
369 391
3702.6 Private key operations 3922.6 Private key operations
371 393
@@ -429,9 +451,9 @@ a protocol 2 key:
429 uint32 flags 451 uint32 flags
430 452
431Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key 453Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key
432Algorithms" for either of the supported key types: "ssh-dss" or 454Algorithms" for any of the supported protocol 2 key types. "flags" is
433"ssh-rsa". "flags" is a bit-mask, but at present only one possible value 455a bit-mask, but at present only one possible value is defined (see below
434is defined (see below for its meaning): 456for its meaning):
435 457
436 SSH_AGENT_OLD_SIGNATURE 1 458 SSH_AGENT_OLD_SIGNATURE 1
437 459
@@ -535,4 +557,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
535 SSH_AGENT_CONSTRAIN_LIFETIME 1 557 SSH_AGENT_CONSTRAIN_LIFETIME 1
536 SSH_AGENT_CONSTRAIN_CONFIRM 2 558 SSH_AGENT_CONSTRAIN_CONFIRM 2
537 559
538$OpenBSD: PROTOCOL.agent,v 1.5 2010/02/26 20:29:54 djm Exp $ 560$OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $