summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog5
-rw-r--r--PROTOCOL.agent34
2 files changed, 21 insertions, 18 deletions
diff --git a/ChangeLog b/ChangeLog
index 8cfce1fdd..fadf27a7d 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -21,6 +21,9 @@
21 [sshconnect.c sshd.c] 21 [sshconnect.c sshd.c]
22 Send CR LF during protocol banner exchanges, but only for Protocol 2 only, 22 Send CR LF during protocol banner exchanges, but only for Protocol 2 only,
23 in order to comply with RFC 4253. bz #1443, ok djm@ 23 in order to comply with RFC 4253. bz #1443, ok djm@
24 - stevesk@cvs.openbsd.org 2008/07/01 23:12:47
25 [PROTOCOL.agent]
26 fix some typos; ok djm@
24 27
2520080630 2820080630
26 - (djm) OpenBSD CVS Sync 29 - (djm) OpenBSD CVS Sync
@@ -4504,4 +4507,4 @@
4504 OpenServer 6 and add osr5bigcrypt support so when someone migrates 4507 OpenServer 6 and add osr5bigcrypt support so when someone migrates
4505 passwords between UnixWare and OpenServer they will still work. OK dtucker@ 4508 passwords between UnixWare and OpenServer they will still work. OK dtucker@
4506 4509
4507$Id: ChangeLog,v 1.5044 2008/07/02 12:34:30 dtucker Exp $ 4510$Id: ChangeLog,v 1.5045 2008/07/02 12:35:00 dtucker Exp $
diff --git a/PROTOCOL.agent b/PROTOCOL.agent
index 627e12ab6..49adbdd5c 100644
--- a/PROTOCOL.agent
+++ b/PROTOCOL.agent
@@ -16,14 +16,14 @@ encryption.
16With a couple of exceptions, the protocol message names used in this 16With a couple of exceptions, the protocol message names used in this
17document indicate which type of key the message relates to. SSH_* 17document indicate which type of key the message relates to. SSH_*
18messages refer to protocol 1 keys only. SSH2_* messages refer to 18messages refer to protocol 1 keys only. SSH2_* messages refer to
19protocol 2 keys. Furthermore, the names also indicate whether message 19protocol 2 keys. Furthermore, the names also indicate whether the
20is a request to the agent (*_AGENTC_*) or a reply from the agent 20message is a request to the agent (*_AGENTC_*) or a reply from the
21(*_AGENT_*). Section 3 below contains the mapping of the protocol 21agent (*_AGENT_*). Section 3 below contains the mapping of the
22message names to their integer values. 22protocol message names to their integer values.
23 23
241. Data types 241. Data types
25 25
26Because of it support for legacy SSH protocol 1 keys, OpenSSH's agent 26Because of support for legacy SSH protocol 1 keys, OpenSSH's agent
27protocol makes use of some data types not defined in RFC 4251. 27protocol makes use of some data types not defined in RFC 4251.
28 28
291.1 uint16 291.1 uint16
@@ -42,9 +42,9 @@ Its format is as follows:
42"bignum" contains an unsigned arbitrary precision integer encoded as 42"bignum" contains an unsigned arbitrary precision integer encoded as
43eight bits per byte in big-endian (MSB first) format. 43eight bits per byte in big-endian (MSB first) format.
44 44
45Note the difference between the "mpint1" encoding an the the "mpint" 45Note the difference between the "mpint1" encoding and the "mpint"
46encoding defined in RFC 4251. Also note that the length of the encoded 46encoding defined in RFC 4251. Also note that the length of the encoded
47integer is specified in bits, not bytes and that the byte length of of 47integer is specified in bits, not bytes and that the byte length of
48the integer must be calculated by rounding up the number of bits to the 48the integer must be calculated by rounding up the number of bits to the
49nearest eight. 49nearest eight.
50 50
@@ -56,7 +56,7 @@ as a 32 bit unsigned integer. Specifically:
56 uint32 message_length 56 uint32 message_length
57 byte[message_length] message 57 byte[message_length] message
58 58
59The following message description refer only to the content the 59The following message descriptions refer only to the content the
60"message" field. 60"message" field.
61 61
622.1 Generic server responses 622.1 Generic server responses
@@ -86,9 +86,9 @@ and SSH2_AGENTC_ADD_ID_CONSTRAINED - these add keys with optional
86"constraints" on their usage. 86"constraints" on their usage.
87 87
88OpenSSH may be built with support for keys hosted on a smartcard 88OpenSSH may be built with support for keys hosted on a smartcard
89or other hardware security module. These keys may added 89or other hardware security module. These keys may be added
90to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and 90to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and
91SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests 91SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests.
92 92
932.2.1 Key constraints 932.2.1 Key constraints
94 94
@@ -126,7 +126,7 @@ consecutively to the end of the request:
126 126
127Such a sequence of zero or more constraints will be referred to below 127Such a sequence of zero or more constraints will be referred to below
128as "constraint[]". Agents may determine whether there are constraints 128as "constraint[]". Agents may determine whether there are constraints
129by checking whether additional data exists in the an "add key" request 129by checking whether additional data exists in the "add key" request
130after the key data itself. OpenSSH will refuse to add a key if it 130after the key data itself. OpenSSH will refuse to add a key if it
131contains unknown constraints. 131contains unknown constraints.
132 132
@@ -187,7 +187,7 @@ RSA keys may be added with this request:
187 string key_comment 187 string key_comment
188 constraint[] key_constraints 188 constraint[] key_constraints
189 189
190Note that the 'rsa_p' and 'rsa_q' parameters are send in the reverse 190Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse
191order to the protocol 1 add keys message. As with the corresponding 191order to the protocol 1 add keys message. As with the corresponding
192protocol 1 "add key" request, the private key is overspecified to avoid 192protocol 1 "add key" request, the private key is overspecified to avoid
193redundant processing. 193redundant processing.
@@ -212,7 +212,7 @@ delegated to the smartcard.
212 string pin 212 string pin
213 constraint[] key_constraints 213 constraint[] key_constraints
214 214
215"reader_id" the an identifier to a smartcard reader and "pin" 215"reader_id" is an identifier to a smartcard reader and "pin"
216is a PIN or passphrase used to unlock the private key(s) on the 216is a PIN or passphrase used to unlock the private key(s) on the
217device. "key_constraints" may only be present if the request type is 217device. "key_constraints" may only be present if the request type is
218SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED. 218SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED.
@@ -326,7 +326,7 @@ Followed by zero or more consecutive keys, encoded as:
326 326
3272.5.2 Requesting a list of protocol 2 keys 3272.5.2 Requesting a list of protocol 2 keys
328 328
329A client may send the following message to request a list of keys 329A client may send the following message to request a list of
330protocol 2 keys that are stored in the agent: 330protocol 2 keys that are stored in the agent:
331 331
332 byte SSH2_AGENTC_REQUEST_IDENTITIES 332 byte SSH2_AGENTC_REQUEST_IDENTITIES
@@ -372,14 +372,14 @@ It may be requested using this message:
372been encrypted with the public key and must be in the range 372been encrypted with the public key and must be in the range
3731 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1 3731 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1
374session ID (computed from the server host key, the server semi-ephemeral 374session ID (computed from the server host key, the server semi-ephemeral
375key and the session cookie.) 375key and the session cookie).
376 376
377"ignored" and "response_type" exist for compatibility with legacy 377"ignored" and "response_type" exist for compatibility with legacy
378implementations. "response_type" must be equal to 1; other response 378implementations. "response_type" must be equal to 1; other response
379types are not supported. 379types are not supported.
380 380
381On receiving this request, the server decrypts the "encrypted_challenge" 381On receiving this request, the server decrypts the "encrypted_challenge"
382using private key matching the supplied (rsa_e, rsa_n) values. For 382using the private key matching the supplied (rsa_e, rsa_n) values. For
383the response derivation, the decrypted challenge is represented as an 383the response derivation, the decrypted challenge is represented as an
384unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values 384unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values
385smaller than 2^248 will have leading 0 bytes). 385smaller than 2^248 will have leading 0 bytes).
@@ -513,4 +513,4 @@ Locking and unlocking affects both protocol 1 and protocol 2 keys.
513 SSH_AGENT_CONSTRAIN_LIFETIME 1 513 SSH_AGENT_CONSTRAIN_LIFETIME 1
514 SSH_AGENT_CONSTRAIN_CONFIRM 2 514 SSH_AGENT_CONSTRAIN_CONFIRM 2
515 515
516$OpenBSD: PROTOCOL.agent,v 1.3 2008/06/30 08:05:59 djm Exp $ 516$OpenBSD: PROTOCOL.agent,v 1.4 2008/07/01 23:12:47 stevesk Exp $