PROTOCOL.agent (204917) | PROTOCOL.agent (221420) |
---|---|
1This describes the protocol used by OpenSSH's ssh-agent. 2 3OpenSSH's agent supports managing keys for the standard SSH protocol 42 as well as the legacy SSH protocol 1. Support for these key types 5is almost completely disjoint - in all but a few cases, operations on 6protocol 2 keys cannot see or affect protocol 1 keys and vice-versa. 7 8Protocol 1 and protocol 2 keys are separated because of the differing --- 145 unchanged lines hidden (view full) --- 154"key_constraints" may only be present if the request type is 155SSH_AGENTC_ADD_RSA_IDENTITY. 156 157The agent will reply with a SSH_AGENT_SUCCESS if the key has been 158successfully added or a SSH_AGENT_FAILURE if an error occurred. 159 1602.2.3 Add protocol 2 key 161 | 1This describes the protocol used by OpenSSH's ssh-agent. 2 3OpenSSH's agent supports managing keys for the standard SSH protocol 42 as well as the legacy SSH protocol 1. Support for these key types 5is almost completely disjoint - in all but a few cases, operations on 6protocol 2 keys cannot see or affect protocol 1 keys and vice-versa. 7 8Protocol 1 and protocol 2 keys are separated because of the differing --- 145 unchanged lines hidden (view full) --- 154"key_constraints" may only be present if the request type is 155SSH_AGENTC_ADD_RSA_IDENTITY. 156 157The agent will reply with a SSH_AGENT_SUCCESS if the key has been 158successfully added or a SSH_AGENT_FAILURE if an error occurred. 159 1602.2.3 Add protocol 2 key 161 |
162The OpenSSH agent supports DSA and RSA keys for protocol 2. DSA keys may 163be added using the following request | 162The OpenSSH agent supports DSA, ECDSA and RSA keys for protocol 2. DSA 163keys may be added using the following request |
164 165 byte SSH2_AGENTC_ADD_IDENTITY or 166 SSH2_AGENTC_ADD_ID_CONSTRAINED 167 string "ssh-dss" 168 mpint dsa_p 169 mpint dsa_q 170 mpint dsa_g 171 mpint dsa_public_key --- 5 unchanged lines hidden (view full) --- 177 byte SSH2_AGENTC_ADD_IDENTITY or 178 SSH2_AGENTC_ADD_ID_CONSTRAINED 179 string "ssh-dss-cert-v00@openssh.com" 180 string certificate 181 mpint dsa_private_key 182 string key_comment 183 constraint[] key_constraints 184 | 164 165 byte SSH2_AGENTC_ADD_IDENTITY or 166 SSH2_AGENTC_ADD_ID_CONSTRAINED 167 string "ssh-dss" 168 mpint dsa_p 169 mpint dsa_q 170 mpint dsa_g 171 mpint dsa_public_key --- 5 unchanged lines hidden (view full) --- 177 byte SSH2_AGENTC_ADD_IDENTITY or 178 SSH2_AGENTC_ADD_ID_CONSTRAINED 179 string "ssh-dss-cert-v00@openssh.com" 180 string certificate 181 mpint dsa_private_key 182 string key_comment 183 constraint[] key_constraints 184 |
185ECDSA keys may be added using the following request 186 187 byte SSH2_AGENTC_ADD_IDENTITY or 188 SSH2_AGENTC_ADD_ID_CONSTRAINED 189 string "ecdsa-sha2-nistp256" | 190 "ecdsa-sha2-nistp384" | 191 "ecdsa-sha2-nistp521" 192 string ecdsa_curve_name 193 string ecdsa_public_key 194 mpint ecdsa_private 195 string key_comment 196 constraint[] key_constraints 197 198ECDSA certificates may be added with: 199 byte SSH2_AGENTC_ADD_IDENTITY or 200 SSH2_AGENTC_ADD_ID_CONSTRAINED 201 string "ecdsa-sha2-nistp256-cert-v01@openssh.com" | 202 "ecdsa-sha2-nistp384-cert-v01@openssh.com" | 203 "ecdsa-sha2-nistp521-cert-v01@openssh.com" 204 string certificate 205 mpint ecdsa_private_key 206 string key_comment 207 constraint[] key_constraints 208 |
|
185RSA keys may be added with this request: 186 187 byte SSH2_AGENTC_ADD_IDENTITY or 188 SSH2_AGENTC_ADD_ID_CONSTRAINED 189 string "ssh-rsa" 190 mpint rsa_n 191 mpint rsa_e 192 mpint rsa_d --- 16 unchanged lines hidden (view full) --- 209 string key_comment 210 constraint[] key_constraints 211 212Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse 213order to the protocol 1 add keys message. As with the corresponding 214protocol 1 "add key" request, the private key is overspecified to avoid 215redundant processing. 216 | 209RSA keys may be added with this request: 210 211 byte SSH2_AGENTC_ADD_IDENTITY or 212 SSH2_AGENTC_ADD_ID_CONSTRAINED 213 string "ssh-rsa" 214 mpint rsa_n 215 mpint rsa_e 216 mpint rsa_d --- 16 unchanged lines hidden (view full) --- 233 string key_comment 234 constraint[] key_constraints 235 236Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse 237order to the protocol 1 add keys message. As with the corresponding 238protocol 1 "add key" request, the private key is overspecified to avoid 239redundant processing. 240 |
217For both DSA and RSA key add requests, "key_constraints" may only be | 241For DSA, ECDSA and RSA key add requests, "key_constraints" may only be |
218present if the request type is SSH2_AGENTC_ADD_ID_CONSTRAINED. 219 220The agent will reply with a SSH_AGENT_SUCCESS if the key has been 221successfully added or a SSH_AGENT_FAILURE if an error occurred. 222 2232.2.4 Loading keys from a smartcard 224 225The OpenSSH agent may have optional smartcard support built in to it. If --- 63 unchanged lines hidden (view full) --- 2892.4.2 Removing a protocol 2 key 290 291Protocol 2 keys may be removed with the following request: 292 293 byte SSH2_AGENTC_REMOVE_IDENTITY 294 string key_blob 295 296Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key | 242present if the request type is SSH2_AGENTC_ADD_ID_CONSTRAINED. 243 244The agent will reply with a SSH_AGENT_SUCCESS if the key has been 245successfully added or a SSH_AGENT_FAILURE if an error occurred. 246 2472.2.4 Loading keys from a smartcard 248 249The OpenSSH agent may have optional smartcard support built in to it. If --- 63 unchanged lines hidden (view full) --- 3132.4.2 Removing a protocol 2 key 314 315Protocol 2 keys may be removed with the following request: 316 317 byte SSH2_AGENTC_REMOVE_IDENTITY 318 string key_blob 319 320Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key |
297Algorithms" for either of the supported key types: "ssh-dss" or 298"ssh-rsa". | 321Algorithms" for any of the supported protocol 2 key types. |
299 300The agent will delete any private key matching the specified public key 301and return SSH_AGENT_SUCCESS. If no such key was found, the agent will 302return SSH_AGENT_FAILURE. 303 3042.4.3 Removing keys loaded from a smartcard 305 306A client may request that a server remove one or more smartcard-hosted --- 52 unchanged lines hidden (view full) --- 359 uint32 num_keys 360 361Followed by zero or more consecutive keys, encoded as: 362 363 string key_blob 364 string key_comment 365 366Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key | 322 323The agent will delete any private key matching the specified public key 324and return SSH_AGENT_SUCCESS. If no such key was found, the agent will 325return SSH_AGENT_FAILURE. 326 3272.4.3 Removing keys loaded from a smartcard 328 329A client may request that a server remove one or more smartcard-hosted --- 52 unchanged lines hidden (view full) --- 382 uint32 num_keys 383 384Followed by zero or more consecutive keys, encoded as: 385 386 string key_blob 387 string key_comment 388 389Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key |
367Algorithms" for either of the supported key types: "ssh-dss" or 368"ssh-rsa". | 390Algorithms" for any of the supported protocol 2 key types. |
369 3702.6 Private key operations 371 372The purpose of the agent is to perform private key operations, such as 373signing and encryption without requiring a passphrase to unlock the 374key and without allowing the private key itself to be exposed. There 375are separate requests for the protocol 1 and protocol 2 private key 376operations. --- 47 unchanged lines hidden (view full) --- 424a protocol 2 key: 425 426 byte SSH2_AGENTC_SIGN_REQUEST 427 string key_blob 428 string data 429 uint32 flags 430 431Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key | 391 3922.6 Private key operations 393 394The purpose of the agent is to perform private key operations, such as 395signing and encryption without requiring a passphrase to unlock the 396key and without allowing the private key itself to be exposed. There 397are separate requests for the protocol 1 and protocol 2 private key 398operations. --- 47 unchanged lines hidden (view full) --- 446a protocol 2 key: 447 448 byte SSH2_AGENTC_SIGN_REQUEST 449 string key_blob 450 string data 451 uint32 flags 452 453Where "key_blob" is encoded as per RFC 4253 section 6.6 "Public Key |
432Algorithms" for either of the supported key types: "ssh-dss" or 433"ssh-rsa". "flags" is a bit-mask, but at present only one possible value 434is defined (see below for its meaning): | 454Algorithms" for any of the supported protocol 2 key types. "flags" is 455a bit-mask, but at present only one possible value is defined (see below 456for its meaning): |
435 436 SSH_AGENT_OLD_SIGNATURE 1 437 438Upon receiving this request, the agent will look up the private key that 439corresponds to the public key contained in key_blob. It will use this 440private key to sign the "data" and produce a signature blob using the 441key type-specific method described in RFC 4253 section 6.6 "Public Key 442Algorithms". --- 87 unchanged lines hidden (view full) --- 530 SSH2_AGENT_IDENTITIES_ANSWER 12 531 SSH2_AGENT_SIGN_RESPONSE 14 532 5333.7 Key constraint identifiers 534 535 SSH_AGENT_CONSTRAIN_LIFETIME 1 536 SSH_AGENT_CONSTRAIN_CONFIRM 2 537 | 457 458 SSH_AGENT_OLD_SIGNATURE 1 459 460Upon receiving this request, the agent will look up the private key that 461corresponds to the public key contained in key_blob. It will use this 462private key to sign the "data" and produce a signature blob using the 463key type-specific method described in RFC 4253 section 6.6 "Public Key 464Algorithms". --- 87 unchanged lines hidden (view full) --- 552 SSH2_AGENT_IDENTITIES_ANSWER 12 553 SSH2_AGENT_SIGN_RESPONSE 14 554 5553.7 Key constraint identifiers 556 557 SSH_AGENT_CONSTRAIN_LIFETIME 1 558 SSH_AGENT_CONSTRAIN_CONFIRM 2 559 |
538$OpenBSD: PROTOCOL.agent,v 1.5 2010/02/26 20:29:54 djm Exp $ | 560$OpenBSD: PROTOCOL.agent,v 1.6 2010/08/31 11:54:45 djm Exp $ |