With a couple of exceptions, the protocol message names used in this
document indicate which type of key the message relates to. SSH_*
messages refer to protocol 1 keys only. SSH2_* messages refer to
-protocol 2 keys. Furthermore, the names also indicate whether message
-is a request to the agent (*_AGENTC_*) or a reply from the agent
-(*_AGENT_*). Section 3 below contains the mapping of the protocol
-message names to their integer values.
+protocol 2 keys. Furthermore, the names also indicate whether the
+message is a request to the agent (*_AGENTC_*) or a reply from the
+agent (*_AGENT_*). Section 3 below contains the mapping of the
+protocol message names to their integer values.
1. Data types
-Because of it support for legacy SSH protocol 1 keys, OpenSSH's agent
+Because of support for legacy SSH protocol 1 keys, OpenSSH's agent
protocol makes use of some data types not defined in RFC 4251.
1.1 uint16
"bignum" contains an unsigned arbitrary precision integer encoded as
eight bits per byte in big-endian (MSB first) format.
-Note the difference between the "mpint1" encoding an the the "mpint"
+Note the difference between the "mpint1" encoding and the "mpint"
encoding defined in RFC 4251. Also note that the length of the encoded
-integer is specified in bits, not bytes and that the byte length of of
+integer is specified in bits, not bytes and that the byte length of
the integer must be calculated by rounding up the number of bits to the
nearest eight.
uint32 message_length
byte[message_length] message
-The following message description refer only to the content the
+The following message descriptions refer only to the content the
"message" field.
2.1 Generic server responses
"constraints" on their usage.
OpenSSH may be built with support for keys hosted on a smartcard
-or other hardware security module. These keys may added
+or other hardware security module. These keys may be added
to the agent using the SSH_AGENTC_ADD_SMARTCARD_KEY and
-SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests
+SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED requests.
2.2.1 Key constraints
consecutively to the end of the request:
byte constraint1_type
- .... constraint1_date
+ .... constraint1_data
byte constraint2_type
- .... constraint2_date
+ .... constraint2_data
....
byte constraintN_type
- .... constraintN_date
+ .... constraintN_data
Such a sequence of zero or more constraints will be referred to below
as "constraint[]". Agents may determine whether there are constraints
-by checking whether additional data exists in the an "add key" request
+by checking whether additional data exists in the "add key" request
after the key data itself. OpenSSH will refuse to add a key if it
contains unknown constraints.
string key_comment
constraint[] key_constraints
-Note that the 'rsa_p' and 'rsa_q' parameters are send in the reverse
+Note that the 'rsa_p' and 'rsa_q' parameters are sent in the reverse
order to the protocol 1 add keys message. As with the corresponding
protocol 1 "add key" request, the private key is overspecified to avoid
redundant processing.
string pin
constraint[] key_constraints
-"reader_id" the an identifier to a smartcard reader and "pin"
+"reader_id" is an identifier to a smartcard reader and "pin"
is a PIN or passphrase used to unlock the private key(s) on the
device. "key_constraints" may only be present if the request type is
SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED.
2.5.2 Requesting a list of protocol 2 keys
-A client may send the following message to request a list of keys
+A client may send the following message to request a list of
protocol 2 keys that are stored in the agent:
byte SSH2_AGENTC_REQUEST_IDENTITIES
been encrypted with the public key and must be in the range
1 <= encrypted_challenge < 2^256. "session_id" is the SSH protocol 1
session ID (computed from the server host key, the server semi-ephemeral
-key and the session cookie.)
+key and the session cookie).
"ignored" and "response_type" exist for compatibility with legacy
implementations. "response_type" must be equal to 1; other response
types are not supported.
On receiving this request, the server decrypts the "encrypted_challenge"
-using private key matching the supplied (rsa_e, rsa_n) values. For
+using the private key matching the supplied (rsa_e, rsa_n) values. For
the response derivation, the decrypted challenge is represented as an
unsigned, big-endian integer encoded in a 32 byte buffer (i.e. values
smaller than 2^248 will have leading 0 bytes).
SSH_AGENT_CONSTRAIN_LIFETIME 1
SSH_AGENT_CONSTRAIN_CONFIRM 2
-$OpenBSD: PROTOCOL.agent,v 1.2 2008/06/29 08:30:29 djm Exp $
+$OpenBSD: PROTOCOL.agent,v 1.4 2008/07/01 23:12:47 stevesk Exp $