Re: ssh-agent protocol

To: ietf-ssh%netbsd.org@localhost
Subject: Re: ssh-agent protocol
From: Simon Tatham <anakin%pobox.com@localhost>
Date: Mon, 21 Jan 2002 11:40:41 +0000

Niels Möller <nisse%lysator.liu.se@localhost> wrote:
> Markus asked me to post this information to the list. It's an
> inofficial description of the ssh-agent protocol
[...]
> : ----------------------------------------------------------------------
> : request:
> : byte	SSH_AGENT_REQUEST_VERSION(1)
> : 
> : reply:
> : byte	SSH_AGENT_VERSION_RESPONSE(103)
> : UINT32	version
> : 
> : The version field contains 2 for ssh-agent2, and presumably 1 for
> : ssh-agent1.

I'm not sure this is quite right. I tried making my own observations
of the ssh-agent2 protocol once, and came up with slightly different
conclusions.

In ssh-agent1, an empty message-type-1 is not a version request at
all: it's SSH_AGENTC_REQUEST_RSA_IDENTITIES, and the response from
ssh-agent1 is a list of public keys.

If I recall my own analysis correctly, the ssh-agent2 version
request is a message-type-1 which _does_ contain something. Then you
have some options:

 - if the agent responds to a version request by returning an
   ssh-agent1 list of keys, you know it doesn't understand the
   agent2 protocol at all.

 - if it returns SSH_AGENT_VERSION_RESPONSE then you know it can act
   as an agent2; you can then send it an _empty_ message-type-1 and
   see what it says to that. If it responds to _that_ with an
   ssh-agent1 list of keys then it's able to act as a two-in-one
   agent1 and agent2. (A double agent? :-)

IIRC the snag is that earlier ssh2 agent clients do expect an empty
message-type-1 to provoke an agent2 version response, so to
interoperate with these older clients you would want to be able to
disable ssh-agent1 behaviour in a decently configurable agent.

It's nice to see that the OpenSSH agent2 message numbers are
completely disjoint from the ssh.com ones, though; at least there'll
be no problem with running both of those agent protocols in
parallel!

Cheers,
Simon
-- 
Simon Tatham         "The difference between theory and practice is
<anakin%pobox.com@localhost>    that, in theory, there is no difference."

References:
- ssh-agent protocol
  - From: Niels Möller

Prev by Date: Re: SSH agent forwarding
Next by Date: Re: message lang tags verse SSH_MSG_KEXINIT
Previous by Thread: Re: SSH agent forwarding
Next by Thread: scp2 vs sftp ?
Indexes:

Home | Main Index | Thread Index | Old Index