Annotation of src/usr.bin/ssh/PROTOCOL.agent, Revision 1.15
1.15 ! djm 1: The SSH agent protocol is described in
1.14 dtucker 2: https://tools.ietf.org/html/draft-miller-ssh-agent-04
1.13 djm 3:
1.15 ! djm 4: This file document's OpenSSH's extensions to the agent protocol.
! 5:
! 6: 1. session-bind@openssh.com extension
! 7:
! 8: This extension allows a ssh client to bind an agent connection to a
! 9: particular SSH session identifier as derived from the initial key
! 10: exchange (as per RFC4253 section 7.2) and the host key used for that
! 11: exchange. This binding is verifiable at the agent by including the
! 12: initial KEX signature made by the host key.
! 13:
! 14: The message format is:
! 15:
! 16: byte SSH_AGENTC_EXTENSION (0x1b)
! 17: string session-bind@openssh.com
! 18: string hostkey
! 19: string session identifier
! 20: string signature
! 21: bool is_forwarding
! 22:
! 23: Where 'hostkey' is the encoded server host public key, 'session
! 24: identfier' is the exchange hash derived from the initial key
! 25: exchange, 'signature' is the server's signature of the session
! 26: identifier using the private hostkey, as sent in the final
! 27: SSH2_MSG_KEXDH_REPLY/SSH2_MSG_KEXECDH_REPLY message of the initial key
! 28: exchange. 'is_forwarding' is a flag indicating whether this connection
! 29: should be bound for user authentication or forwarding.
! 30:
! 31: When an agent received this message, it will verify the signature and
! 32: check the consistency of its contents, including refusing to accept
! 33: a duplicate session identifier, or any attempt to bind a connection
! 34: previously bound for authentication. It will then then record the
! 35: binding for the life of the connection for use later in testing per-key
! 36: destination constraints.
! 37:
! 38: 2. restrict-destination-v00@openssh.com key constraint extension
! 39:
! 40: The key constraint extension supports destination- and forwarding path-
! 41: restricted keys. It may be attached as a constraint when keys or
! 42: smartcard keys are added to an agent.
! 43:
! 44: byte SSH_AGENT_CONSTRAIN_EXTENSION (0xff)
! 45: string restrict-destination-v00@openssh.com
! 46: constraint[] constraints
! 47:
! 48: Where a constraint consists of:
! 49:
! 50: string from_username (must be empty)
! 51: string from_hostname
! 52: keyspec[] from_hostkeys
! 53: string to_username
! 54: string to_hostname
! 55: keyspec[] to_hostkeys
! 56:
! 57: An a keyspec consists of:
! 58:
! 59: string keyblob
! 60: bool is_ca
! 61:
! 62: When receiving this message, the agent will ensure that the
! 63: 'from_username' field is empty, and that 'to_hostname' and 'to_hostkeys'
! 64: have been supplied (empty 'from_hostname' and 'from_hostkeys' are valid
! 65: and signify the inital hop from the host running ssh-agent). The agent
! 66: will then record the constraint against the key.
! 67:
! 68: Subsequent operations on this key including add/remove/request
! 69: identities and, in particular, signature requests will check the key
! 70: constraints agains the session-bind@openssh.com bindings recorded for
! 71: the agent connection over which they were received.
! 72:
! 73: 3. SSH_AGENT_CONSTRAIN_MAXSIGN key constraint
! 74:
! 75: This key constraint allows communication to an agent of the maximum
! 76: number of signatures that may be made with an XMSS key. The format of
! 77: the constraint is:
! 78:
! 79: byte SSH_AGENT_CONSTRAIN_MAXSIGN (0x03)
! 80: uint32 max_signatures
! 81:
! 82: This option is only valid for XMSS keys.
! 83:
! 84: $OpenBSD: PROTOCOL.agent,v 1.14 2020/10/06 07:12:04 dtucker Exp $