* New upstream release (LP: #535029).

  - After a transition period of about 10 years, this release disables SSH
    protocol 1 by default.  Clients and servers that need to use the
    legacy protocol must explicitly enable it in ssh_config / sshd_config
    or on the command-line.
  - Remove the libsectok/OpenSC-based smartcard code and add support for
    PKCS#11 tokens.  This support is enabled by default in the Debian
    packaging, since it now doesn't involve additional library
    dependencies (closes: #231472, LP: #16918).
  - Add support for certificate authentication of users and hosts using a
    new, minimal OpenSSH certificate format (closes: #482806).
  - Added a 'netcat mode' to ssh(1): "ssh -W host:port ...".
  - Add the ability to revoke keys in sshd(8) and ssh(1).  (For the Debian
    package, this overlaps with the key blacklisting facility added in
    openssh 1:4.7p1-9, but with different file formats and slightly
    different scopes; for the moment, I've roughly merged the two.)
  - Various multiplexing improvements, including support for requesting
    port-forwardings via the multiplex protocol (closes: #360151).
  - Allow setting an explicit umask on the sftp-server(8) commandline to
    override whatever default the user has (closes: #496843).
  - Many sftp client improvements, including tab-completion, more options,
    and recursive transfer support for get/put (LP: #33378).  The old
    mget/mput commands never worked properly and have been removed
    (closes: #270399, #428082).
  - Do not prompt for a passphrase if we fail to open a keyfile, and log
    the reason why the open failed to debug (closes: #431538).
  - Prevent sftp from crashing when given a "-" without a command.  Also,
    allow whitespace to follow a "-" (closes: #531561).

1 files changed, 23 insertions, 1 deletions

diff --git a/PROTOCOL.agent b/PROTOCOL.agent
index 49adbdd5c..b34fcd318 100644
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@@ -173,6 +173,15 @@ be added using the following request
         string                  key_comment
         constraint[]            key_constraints
 
+DSA certificates may be added with:
+        byte                    SSH2_AGENTC_ADD_IDENTITY or
+                                SSH2_AGENTC_ADD_ID_CONSTRAINED
+        string                  "ssh-dss-cert-v00@openssh.com"
+        string                  certificate
+        mpint                   dsa_private_key
+        string                  key_comment
+        constraint[]            key_constraints
+
 RSA keys may be added with this request:
 
         byte                    SSH2_AGENTC_ADD_IDENTITY or
@@ -187,6 +196,19 @@ RSA keys may be added with this request:
         string                  key_comment
         constraint[]            key_constraints
 
+RSA certificates may be added with this request:
+
+        byte                    SSH2_AGENTC_ADD_IDENTITY or
+                                SSH2_AGENTC_ADD_ID_CONSTRAINED
+        string                  "ssh-rsa-cert-v00@openssh.com"
+        string                  certificate
+        mpint                   rsa_d
+        mpint                   rsa_iqmp
+        mpint                   rsa_p
+        mpint                   rsa_q
+        string                  key_comment
+        constraint[]            key_constraints
+
 Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse
 order to the protocol 1 add keys message. As with the corresponding
 protocol 1 "add key" request, the private key is overspecified to avoid
@@ -513,4 +535,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
         SSH_AGENT_CONSTRAIN_LIFETIME                    1
         SSH_AGENT_CONSTRAIN_CONFIRM                     2
 
-$OpenBSD: PROTOCOL.agent,v 1.4 2008/07/01 23:12:47 stevesk Exp $
+$OpenBSD: PROTOCOL.agent,v 1.5 2010/02/26 20:29:54 djm Exp $