ssh-agent protocol

[nisse%lysator.liu.se@localhost (Niels Möller)]

Hi,

Markus asked me to post this information to the list. It's an
inofficial description of the ssh-agent protocol, written by Balazs
Scheidler.

Back then, I expected the SSH folks to publish an official spec on
ssh-agent "soon", but now two years have passed and this is still the
best information on ssh-agent I have seen.

I have some concerns about the security in ssh-agent, and I think
improvements are possible, if one also creates a new better publickey
userauth methods that signs some more information. But before doing
anything about that, we first need to understand the details of the
current ssh-agent mechanism.

Regards,
/Niels

: Date: Fri, 5 Nov 1999 20:29:59 +0100
: From: Balazs Scheidler <bazsi%balabit.hu@localhost>
: To: Niels Moller <nisse%lysator.liu.se@localhost>
: Subject: ssh-agent protocol
: Message-ID: <19991105202959.A5028%balabit.hu@localhost>

[ ... deletia ...]

: SSH-AGENT requests and replies
: 
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_REQUEST_VERSION(1)
: 
: reply:
: byte	SSH_AGENT_VERSION_RESPONSE(103)
: UINT32	version
: 
: The version field contains 2 for ssh-agent2, and presumably 1 for
: ssh-agent1.
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_ADD_KEY(202)
: string	private
: string	public
: string	description
: UINT8[]	constraint data
: 
: constraint data is an encoded part in the form attribute,value, where
: attribute can be one of the following:
: 
: #define SSH_AGENT_CONSTRAINT_OLD_TIMEOUT            1
: #define SSH_AGENT_CONSTRAINT_OLD_USE_LIMIT          2
: #define SSH_AGENT_CONSTRAINT_OLD_FORWARDING_STEPS   3
: #define SSH_AGENT_CONSTRAINT_OLD_FORWARDING_PATH    4
: #define SSH_AGENT_CONSTRAINT_OLD_COMPAT             5
: #define SSH_AGENT_CONSTRAINT_OLD_STATUS             6
: #define SSH_AGENT_CONSTRAINT_TIMEOUT                50
: #define SSH_AGENT_CONSTRAINT_USE_LIMIT              51
: #define SSH_AGENT_CONSTRAINT_FORWARDING_STEPS       52
: #define SSH_AGENT_CONSTRAINT_FORWARDING_PATH        100
: #define SSH_AGENT_CONSTRAINT_COMPAT                 150
: #define SSH_AGENT_CONSTRAINT_STATUS                 53
: 
: Different constraint codes may involve different encoding structures.
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_DELETE_ALL_KEYS
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_LIST_KEYS(204)
: 
: reply
: byte	SSH_AGENT_KEY_LIST(104)
: UINT32	number of keys (=n)
: string	certificates    ] one pair for each key
: string	description     ]
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_PRIVATE_KEY_OP(205)
: string	op-name
: string	public keyblob
: op-name dependent parameters
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: 
: possible operations:
: 
: 1) "sign" ask the agent to sign some data
: 
: parameters:
: string	blob to sign
: 
: 2) "hash-and-sign" ask the agent to hash & sign some data
: 
: parameters:
: string	blob to sign
: 
: 3) "decrypt" ask the agent to decrypt the given blob
: 
: parameters:
: string	blob to decrypt
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_FORWARDING_NOTICE (206)
: string	forwarding host name
: string	???
: UINT32	port
: 
: reply:
: no reply
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_DELETE_KEY (207)
: string	public blob
: string	description
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_LOCK (208)
: string	password
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_UNLOCK (209)
: string	password
: 
: reply:
: byte	SSH_AGENT_SUCCESS or SSH_AGENT_ERROR_FAILURE
: ----------------------------------------------------------------------
: request:
: byte	SSH_AGENT_PING
: arbitrary data
: 
: reply:
: byte	SSH_AGENT_ALIVE
: arbitrary data returned
: ----------------------------------------------------------------------