diff options
| -rw-r--r-- | ChangeLog | 5 | ||||
| -rw-r--r-- | PROTOCOL.agent | 34 |
2 files changed, 21 insertions, 18 deletions
| @@ -21,6 +21,9 @@ | |||
| 21 | [sshconnect.c sshd.c] | 21 | [sshconnect.c sshd.c] |
| 22 | Send CR LF during protocol banner exchanges, but only for Protocol 2 only, | 22 | Send CR LF during protocol banner exchanges, but only for Protocol 2 only, |
| 23 | in order to comply with RFC 4253. bz #1443, ok djm@ | 23 | in order to comply with RFC 4253. bz #1443, ok djm@ |
| 24 | - stevesk@cvs.openbsd.org 2008/07/01 23:12:47 | ||
| 25 | [PROTOCOL.agent] | ||
| 26 | fix some typos; ok djm@ | ||
| 24 | 27 | ||
| 25 | 20080630 | 28 | 20080630 |
| 26 | - (djm) OpenBSD CVS Sync | 29 | - (djm) OpenBSD CVS Sync |
| @@ -4504,4 +4507,4 @@ | |||
| 4504 | OpenServer 6 and add osr5bigcrypt support so when someone migrates | 4507 | OpenServer 6 and add osr5bigcrypt support so when someone migrates |
| 4505 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ | 4508 | passwords between UnixWare and OpenServer they will still work. OK dtucker@ |
| 4506 | 4509 | ||
| 4507 | $Id: ChangeLog,v 1.5044 2008/07/02 12:34:30 dtucker Exp $ | 4510 | $Id: ChangeLog,v 1.5045 2008/07/02 12:35:00 dtucker Exp $ |
diff --git a/PROTOCOL.agent b/PROTOCOL.agent index 627e12ab6..49adbdd5c 100644 --- a/PROTOCOL.agent +++ b/PROTOCOL.agent | |||
| @@ -16,14 +16,14 @@ encryption. | |||
| 16 | With a couple of exceptions, the protocol message names used in this | 16 | With a couple of exceptions, the protocol message names used in this |
| 17 | document indicate which type of key the message relates to. SSH_* | 17 | document indicate which type of key the message relates to. SSH_* |
| 18 | messages refer to protocol 1 keys only. SSH2_* messages refer to | 18 | messages refer to protocol 1 keys only. SSH2_* messages refer to |
| 19 | protocol 2 keys. Furthermore, the names also indicate whether message | 19 | protocol 2 keys. Furthermore, the names also indicate whether the |
| 20 | is a request to the agent (*_AGENTC_*) or a reply from the agent | 20 | message is a request to the agent (*_AGENTC_*) or a reply from the |
| 21 | (*_AGENT_*). Section 3 below contains the mapping of the protocol | 21 | agent (*_AGENT_*). Section 3 below contains the mapping of the |
| 22 | message names to their integer values. | 22 | protocol message names to their integer values. |
| 23 | 23 | ||
| 24 | 1. Data types | 24 | 1. Data types |
| 25 | 25 | ||
| 26 | Because of it support for legacy SSH protocol 1 keys, OpenSSH's agent | 26 | Because of support for legacy SSH protocol 1 keys, OpenSSH's agent |
| 27 | protocol makes use of some data types not defined in RFC 4251. | 27 | protocol makes use of some data types not defined in RFC 4251. |
| 28 | 28 | ||
| 29 | 1.1 uint16 | 29 | 1.1 uint16 |
| @@ -42,9 +42,9 @@ Its format is as follows: | |||
| 42 | "bignum" contains an unsigned arbitrary precision integer encoded as | 42 | "bignum" contains an unsigned arbitrary precision integer encoded as |
| 43 | eight bits per byte in big-endian (MSB first) format. | 43 | eight bits per byte in big-endian (MSB first) format. |
| 44 | 44 | ||
| 45 | Note the difference between the "mpint1" encoding an the the "mpint" | 45 | Note the difference between the "mpint1" encoding and the "mpint" |
| 46 | encoding defined in RFC 4251. Also note that the length of the encoded | 46 | encoding defined in RFC 4251. Also note that the length of the encoded |
| 47 | integer is specified in bits, not bytes and that the byte length of of | 47 | integer is specified in bits, not bytes and that the byte length of |
| 48 | the integer must be calculated by rounding up the number of bits to the | 48 | the integer must be calculated by rounding up the number of bits to the |
| 49 | nearest eight. | 49 | nearest eight. |
| 50 | 50 | ||
| @@ -56,7 +56,7 @@ as a 32 bit unsigned integer. Specifically: | |||
| 56 | uint32 message_length | 56 | uint32 message_length |
| 57 | byte[message_length] message | 57 | byte[message_length] message |
| 58 | 58 | ||
| 59 | The following message description refer only to the content the | 59 | The following message descriptions refer only to the content the |
| 60 | "message" field. | 60 | "message" field. |
| 61 | 61 | ||
| 62 | 2.1 Generic server responses | 62 | 2.1 Generic server responses |
| @@ -86,9 +86,9 @@ and SSH2_AGENTC_ADD_ID_CONSTRAINED - these add keys with optional | |||
| 86 | "constraints" on their usage. | 86 | "constraints" on their usage. |
| 87 | 87 | ||
| 88 | OpenSSH may be built with support for keys hosted on a smartcard | 88 | OpenSSH may be built with support for keys hosted on a smartcard |
| 89 | or other hardware security module. These keys may added | 89 | or other hardware security module. These keys may be added |
| 90 | to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and | 90 | to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and |
| 91 | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests | 91 | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests. |
| 92 | 92 | ||
| 93 | 2.2.1 Key constraints | 93 | 2.2.1 Key constraints |
| 94 | 94 | ||
| @@ -126,7 +126,7 @@ consecutively to the end of the request: | |||
| 126 | 126 | ||
| 127 | Such a sequence of zero or more constraints will be referred to below | 127 | Such a sequence of zero or more constraints will be referred to below |
| 128 | as "constraint[]". Agents may determine whether there are constraints | 128 | as "constraint[]". Agents may determine whether there are constraints |
| 129 | by checking whether additional data exists in the an "add key" request | 129 | by checking whether additional data exists in the "add key" request |
| 130 | after the key data itself. OpenSSH will refuse to add a key if it | 130 | after the key data itself. OpenSSH will refuse to add a key if it |
| 131 | contains unknown constraints. | 131 | contains unknown constraints. |
| 132 | 132 | ||
| @@ -187,7 +187,7 @@ RSA keys may be added with this request: | |||
| 187 | string key_comment | 187 | string key_comment |
| 188 | constraint[] key_constraints | 188 | constraint[] key_constraints |
| 189 | 189 | ||
| 190 | Note that the 'rsa_p' and 'rsa_q' parameters are send in the reverse | 190 | Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse |
| 191 | order to the protocol 1 add keys message. As with the corresponding | 191 | order to the protocol 1 add keys message. As with the corresponding |
| 192 | protocol 1 "add key" request, the private key is overspecified to avoid | 192 | protocol 1 "add key" request, the private key is overspecified to avoid |
| 193 | redundant processing. | 193 | redundant processing. |
| @@ -212,7 +212,7 @@ delegated to the smartcard. | |||
| 212 | string pin | 212 | string pin |
| 213 | constraint[] key_constraints | 213 | constraint[] key_constraints |
| 214 | 214 | ||
| 215 | "reader_id" the an identifier to a smartcard reader and "pin" | 215 | "reader_id" is an identifier to a smartcard reader and "pin" |
| 216 | is a PIN or passphrase used to unlock the private key(s) on the | 216 | is a PIN or passphrase used to unlock the private key(s) on the |
| 217 | device. "key_constraints" may only be present if the request type is | 217 | device. "key_constraints" may only be present if the request type is |
| 218 | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED. | 218 | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED. |
| @@ -326,7 +326,7 @@ Followed by zero or more consecutive keys, encoded as: | |||
| 326 | 326 | ||
| 327 | 2.5.2 Requesting a list of protocol 2 keys | 327 | 2.5.2 Requesting a list of protocol 2 keys |
| 328 | 328 | ||
| 329 | A client may send the following message to request a list of keys | 329 | A client may send the following message to request a list of |
| 330 | protocol 2 keys that are stored in the agent: | 330 | protocol 2 keys that are stored in the agent: |
| 331 | 331 | ||
| 332 | byte SSH2_AGENTC_REQUEST_IDENTITIES | 332 | byte SSH2_AGENTC_REQUEST_IDENTITIES |
| @@ -372,14 +372,14 @@ It may be requested using this message: | |||
| 372 | been encrypted with the public key and must be in the range | 372 | been encrypted with the public key and must be in the range |
| 373 | 1 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1 | 373 | 1 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1 |
| 374 | session ID (computed from the server host key, the server semi-ephemeral | 374 | session ID (computed from the server host key, the server semi-ephemeral |
| 375 | key and the session cookie.) | 375 | key and the session cookie). |
| 376 | 376 | ||
| 377 | "ignored" and "response_type" exist for compatibility with legacy | 377 | "ignored" and "response_type" exist for compatibility with legacy |
| 378 | implementations. "response_type" must be equal to 1; other response | 378 | implementations. "response_type" must be equal to 1; other response |
| 379 | types are not supported. | 379 | types are not supported. |
| 380 | 380 | ||
| 381 | On receiving this request, the server decrypts the "encrypted_challenge" | 381 | On receiving this request, the server decrypts the "encrypted_challenge" |
| 382 | using private key matching the supplied (rsa_e, rsa_n) values. For | 382 | using the private key matching the supplied (rsa_e, rsa_n) values. For |
| 383 | the response derivation, the decrypted challenge is represented as an | 383 | the response derivation, the decrypted challenge is represented as an |
| 384 | unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values | 384 | unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values |
| 385 | smaller than 2^248 will have leading 0 bytes). | 385 | smaller than 2^248 will have leading 0 bytes). |
| @@ -513,4 +513,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys. | |||
| 513 | SSH_AGENT_CONSTRAIN_LIFETIME 1 | 513 | SSH_AGENT_CONSTRAIN_LIFETIME 1 |
| 514 | SSH_AGENT_CONSTRAIN_CONFIRM 2 | 514 | SSH_AGENT_CONSTRAIN_CONFIRM 2 |
| 515 | 515 | ||
| 516 | $OpenBSD: PROTOCOL.agent,v 1.3 2008/06/30 08:05:59 djm Exp $ | 516 | $OpenBSD: PROTOCOL.agent,v 1.4 2008/07/01 23:12:47 stevesk Exp $ |