| rfc9987v2.txt | rfc9987.txt | |||
|---|---|---|---|---|
| skipping to change at line 760 ¶ | skipping to change at line 760 ¶ | |||
| client-side agent using this protocol (although there may be multiple | client-side agent using this protocol (although there may be multiple | |||
| concurrent connections to that single agent). | concurrent connections to that single agent). | |||
| 8. Protocol Numbers | 8. Protocol Numbers | |||
| 8.1. Message Type Numbers | 8.1. Message Type Numbers | |||
| The following numbers are used as message types for requests from the | The following numbers are used as message types for requests from the | |||
| client to the agent. | client to the agent. | |||
| SSH_AGENTC_REQUEST_IDENTITIES 11 | +------------------------------------------+----+ | |||
| SSH_AGENTC_SIGN_REQUEST 13 | | SSH_AGENTC_REQUEST_IDENTITIES | 11 | | |||
| SSH_AGENTC_ADD_IDENTITY 17 | +------------------------------------------+----+ | |||
| SSH_AGENTC_REMOVE_IDENTITY 18 | | SSH_AGENTC_SIGN_REQUEST | 13 | | |||
| SSH_AGENTC_REMOVE_ALL_IDENTITIES 19 | +------------------------------------------+----+ | |||
| SSH_AGENTC_ADD_SMARTCARD_KEY 20 | | SSH_AGENTC_ADD_IDENTITY | 17 | | |||
| SSH_AGENTC_REMOVE_SMARTCARD_KEY 21 | +------------------------------------------+----+ | |||
| SSH_AGENTC_LOCK 22 | | SSH_AGENTC_REMOVE_IDENTITY | 18 | | |||
| SSH_AGENTC_UNLOCK 23 | +------------------------------------------+----+ | |||
| SSH_AGENTC_ADD_ID_CONSTRAINED 25 | | SSH_AGENTC_REMOVE_ALL_IDENTITIES | 19 | | |||
| SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED 26 | +------------------------------------------+----+ | |||
| SSH_AGENTC_EXTENSION 27 | | SSH_AGENTC_ADD_SMARTCARD_KEY | 20 | | |||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_REMOVE_SMARTCARD_KEY | 21 | | ||||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_LOCK | 22 | | ||||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_UNLOCK | 23 | | ||||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_ADD_ID_CONSTRAINED | 25 | | ||||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_ADD_SMARTCARD_KEY_CONSTRAINED | 26 | | ||||
| +------------------------------------------+----+ | ||||
| | SSH_AGENTC_EXTENSION | 27 | | ||||
| +------------------------------------------+----+ | ||||
| Table 1 | ||||
| The following numbers are used as message types for replies from the | The following numbers are used as message types for replies from the | |||
| agent to the client. | agent to the client. | |||
| SSH_AGENT_FAILURE 5 | +------------------------------+----+ | |||
| SSH_AGENT_SUCCESS 6 | | SSH_AGENT_FAILURE | 5 | | |||
| SSH_AGENT_IDENTITIES_ANSWER 12 | +------------------------------+----+ | |||
| SSH_AGENT_SIGN_RESPONSE 14 | | SSH_AGENT_SUCCESS | 6 | | |||
| SSH_AGENT_EXTENSION_FAILURE 28 | +------------------------------+----+ | |||
| SSH_AGENT_EXTENSION_RESPONSE 29 | | SSH_AGENT_IDENTITIES_ANSWER | 12 | | |||
| +------------------------------+----+ | ||||
| | SSH_AGENT_SIGN_RESPONSE | 14 | | ||||
| +------------------------------+----+ | ||||
| | SSH_AGENT_EXTENSION_FAILURE | 28 | | ||||
| +------------------------------+----+ | ||||
| | SSH_AGENT_EXTENSION_RESPONSE | 29 | | ||||
| +------------------------------+----+ | ||||
| Table 2 | ||||
| 8.1.1. Reserved Message Type Numbers | 8.1.1. Reserved Message Type Numbers | |||
| The following message type numbers are reserved for implementations | The following message type numbers are reserved for implementations | |||
| that implement support for the legacy SSH protocol version 1: 1-4, | that implement support for the legacy SSH protocol version 1: 1-4, | |||
| 7-10, 15-16, and 24 (inclusive). These message numbers MAY be used | 7-10, 15-16, and 24 (inclusive). These message numbers MAY be used | |||
| by an implementation supporting the legacy protocol but MUST NOT be | by an implementation supporting the legacy protocol but MUST NOT be | |||
| reused otherwise. | reused otherwise. | |||
| Message number 0 is also reserved and MUST NOT be used. | Message number 0 is also reserved and MUST NOT be used. | |||
| The range of message numbers 240-255 is reserved for Private Use | The range of message numbers 240-255 is reserved for Private Use | |||
| extensions to the agent protocol and MUST NOT be used by generic | extensions to the agent protocol and MUST NOT be used by generic | |||
| implementations (see [RFC8126] for more information on Private Use). | implementations (see [RFC8126] for more information on Private Use). | |||
| 8.2. Constraint Identifiers | 8.2. Constraint Identifiers | |||
| The following numbers are used to identify key constraints. These | The following numbers are used to identify key constraints. These | |||
| are only used in key constraints and are not sent as message numbers. | are only used in key constraints and are not sent as message numbers. | |||
| SSH_AGENT_CONSTRAIN_LIFETIME 1 | +-------------------------------+-----+ | |||
| SSH_AGENT_CONSTRAIN_CONFIRM 2 | | SSH_AGENT_CONSTRAIN_LIFETIME | 1 | | |||
| SSH_AGENT_CONSTRAIN_EXTENSION 255 | +-------------------------------+-----+ | |||
| | SSH_AGENT_CONSTRAIN_CONFIRM | 2 | | ||||
| +-------------------------------+-----+ | ||||
| | SSH_AGENT_CONSTRAIN_EXTENSION | 255 | | ||||
| +-------------------------------+-----+ | ||||
| Table 3 | ||||
| The constraint identifier 0 is reserved. | The constraint identifier 0 is reserved. | |||
| 8.3. Signature Flags | 8.3. Signature Flags | |||
| The following numbers may be present in signature request | The following numbers may be present in signature request | |||
| (SSH_AGENTC_SIGN_REQUEST) messages. These flags form a bit field by | (SSH_AGENTC_SIGN_REQUEST) messages. These flags form a bit field by | |||
| taking the logical OR of zero or more flags. | taking the logical OR of zero or more flags. | |||
| SSH_AGENT_RSA_SHA2_256 0x00000002 | +------------------------+------------+ | |||
| SSH_AGENT_RSA_SHA2_512 0x00000004 | | SSH_AGENT_RSA_SHA2_256 | 0x00000002 | | |||
| +------------------------+------------+ | ||||
| | SSH_AGENT_RSA_SHA2_512 | 0x00000004 | | ||||
| +------------------------+------------+ | ||||
| Table 4 | ||||
| The flag value 1 is reserved for historical implementations. | The flag value 1 is reserved for historical implementations. | |||
| 9. IANA Considerations | 9. IANA Considerations | |||
| This protocol describes the establishment of five registries: one for | This protocol describes the establishment of five registries: one for | |||
| message type numbers, one for constraint numbers, one for signature | message type numbers, one for constraint numbers, one for signature | |||
| request flags, one for constraint extension names, and one for | request flags, one for constraint extension names, and one for | |||
| extension request names. Additionally, new codepoints are requested | extension request names. Additionally, new codepoints are requested | |||
| in three existing registries. | in three existing registries. | |||
| skipping to change at line 991 ¶ | skipping to change at line 1026 ¶ | |||
| | | | 5.8 and 8.1 | | | | | 5.8 and 8.1 | | |||
| +---------+------------------------------------------+-------------+ | +---------+------------------------------------------+-------------+ | |||
| | 29 | SSH_AGENT_EXTENSION_RESPONSE | RFC 9987, | | | 29 | SSH_AGENT_EXTENSION_RESPONSE | RFC 9987, | | |||
| | | | Sections | | | | | Sections | | |||
| | | | 5.8 and 8.1 | | | | | 5.8 and 8.1 | | |||
| +---------+------------------------------------------+-------------+ | +---------+------------------------------------------+-------------+ | |||
| | 240-255 | Private Use | RFC 9987, | | | 240-255 | Private Use | RFC 9987, | | |||
| | | | Section 8.1 | | | | | Section 8.1 | | |||
| +---------+------------------------------------------+-------------+ | +---------+------------------------------------------+-------------+ | |||
| Table 1 | Table 5 | |||
| 9.3. "SSH Agent Key Constraint Numbers" Registry | 9.3. "SSH Agent Key Constraint Numbers" Registry | |||
| The "SSH Agent Key Constraint Numbers" registry records the message | The "SSH Agent Key Constraint Numbers" registry records the message | |||
| numbers for key use constraints. It is located in the "Secure Shell | numbers for key use constraints. It is located in the "Secure Shell | |||
| (SSH) Protocol Parameters" registry group [IANA-SSH]. Its initial | (SSH) Protocol Parameters" registry group [IANA-SSH]. Its initial | |||
| state is as follows. Future key constraint number allocations shall | state is as follows. Future key constraint number allocations shall | |||
| occur via Expert Review as per [RFC8126]. | occur via Expert Review as per [RFC8126]. | |||
| +========+===============================+=======================+ | +========+===============================+=======================+ | |||
| skipping to change at line 1013 ¶ | skipping to change at line 1048 ¶ | |||
| +========+===============================+=======================+ | +========+===============================+=======================+ | |||
| | 0 | Reserved | RFC 9987, Section 8.2 | | | 0 | Reserved | RFC 9987, Section 8.2 | | |||
| +--------+-------------------------------+-----------------------+ | +--------+-------------------------------+-----------------------+ | |||
| | 1 | SSH_AGENT_CONSTRAIN_LIFETIME | RFC 9987, Section 8.2 | | | 1 | SSH_AGENT_CONSTRAIN_LIFETIME | RFC 9987, Section 8.2 | | |||
| +--------+-------------------------------+-----------------------+ | +--------+-------------------------------+-----------------------+ | |||
| | 2 | SSH_AGENT_CONSTRAIN_CONFIRM | RFC 9987, Section 8.2 | | | 2 | SSH_AGENT_CONSTRAIN_CONFIRM | RFC 9987, Section 8.2 | | |||
| +--------+-------------------------------+-----------------------+ | +--------+-------------------------------+-----------------------+ | |||
| | 255 | SSH_AGENT_CONSTRAIN_EXTENSION | RFC 9987, Section 8.2 | | | 255 | SSH_AGENT_CONSTRAIN_EXTENSION | RFC 9987, Section 8.2 | | |||
| +--------+-------------------------------+-----------------------+ | +--------+-------------------------------+-----------------------+ | |||
| Table 2 | Table 6 | |||
| 9.4. "SSH Agent Key Constraint Extension Names" Registry | 9.4. "SSH Agent Key Constraint Extension Names" Registry | |||
| The "SSH Agent Key Constraint Extension Names" registry records the | The "SSH Agent Key Constraint Extension Names" registry records the | |||
| names used in the SSH_AGENT_CONSTRAIN_EXTENSION constraint extension | names used in the SSH_AGENT_CONSTRAIN_EXTENSION constraint extension | |||
| type (Section 5.2.7.3). It is located in the "Secure Shell (SSH) | type (Section 5.2.7.3). It is located in the "Secure Shell (SSH) | |||
| Protocol Parameters" registry group [IANA-SSH]. Its initial state is | Protocol Parameters" registry group [IANA-SSH]. Its initial state is | |||
| empty. Future key constraint extension name allocations shall occur | empty. Future key constraint extension name allocations shall occur | |||
| via Expert Review as per [RFC8126]. | via Expert Review as per [RFC8126]. | |||
| skipping to change at line 1047 ¶ | skipping to change at line 1082 ¶ | |||
| +========+========================+=======================+ | +========+========================+=======================+ | |||
| | Number | Identifier | Reference | | | Number | Identifier | Reference | | |||
| +========+========================+=======================+ | +========+========================+=======================+ | |||
| | 0x01 | Reserved | RFC 9987, Section 8.3 | | | 0x01 | Reserved | RFC 9987, Section 8.3 | | |||
| +--------+------------------------+-----------------------+ | +--------+------------------------+-----------------------+ | |||
| | 0x02 | SSH_AGENT_RSA_SHA2_256 | RFC 9987, Section 8.3 | | | 0x02 | SSH_AGENT_RSA_SHA2_256 | RFC 9987, Section 8.3 | | |||
| +--------+------------------------+-----------------------+ | +--------+------------------------+-----------------------+ | |||
| | 0x04 | SSH_AGENT_RSA_SHA2_512 | RFC 9987, Section 8.3 | | | 0x04 | SSH_AGENT_RSA_SHA2_512 | RFC 9987, Section 8.3 | | |||
| +--------+------------------------+-----------------------+ | +--------+------------------------+-----------------------+ | |||
| Table 3 | Table 7 | |||
| 9.6. "SSH Agent Extension Request Names" Registry | 9.6. "SSH Agent Extension Request Names" Registry | |||
| The "SSH Agent Extension Request Names" registry records the names | The "SSH Agent Extension Request Names" registry records the names | |||
| used in the generic extension request message (SSH_AGENTC_EXTENSION). | used in the generic extension request message (SSH_AGENTC_EXTENSION). | |||
| It is located in the "Secure Shell (SSH) Protocol Parameters" | It is located in the "Secure Shell (SSH) Protocol Parameters" | |||
| registry group [IANA-SSH]. Its initial state consists of the | registry group [IANA-SSH]. Its initial state consists of the | |||
| following names. | following names. | |||
| Future name allocations shall occur via Expert Review as per | Future name allocations shall occur via Expert Review as per | |||
| [RFC8126]. | [RFC8126]. | |||
| +================+=========================+ | +================+=========================+ | |||
| | Extension Name | Reference | | | Extension Name | Reference | | |||
| +================+=========================+ | +================+=========================+ | |||
| | query | RFC 9987, Section 5.8.1 | | | query | RFC 9987, Section 5.8.1 | | |||
| +----------------+-------------------------+ | +----------------+-------------------------+ | |||
| Table 4 | Table 8 | |||
| 9.7. Additions to the "Extension Names" Registry | 9.7. Additions to the "Extension Names" Registry | |||
| IANA has added the following entries to the "Extension Names" | IANA has added the following entries to the "Extension Names" | |||
| registry [IANA-SSH-EXT] in the "Secure Shell (SSH) Protocol | registry [IANA-SSH-EXT] in the "Secure Shell (SSH) Protocol | |||
| Parameters" registry group [IANA-SSH]. | Parameters" registry group [IANA-SSH]. | |||
| +================+=======================+ | +================+=======================+ | |||
| | Extension Name | Reference | | | Extension Name | Reference | | |||
| +================+=======================+ | +================+=======================+ | |||
| | agent-forward | RFC 9987, Section 7.1 | | | agent-forward | RFC 9987, Section 7.1 | | |||
| +----------------+-----------------------+ | +----------------+-----------------------+ | |||
| Table 5 | Table 9 | |||
| 9.8. Additions to the "Connection Protocol Channel Request Names" | 9.8. Additions to the "Connection Protocol Channel Request Names" | |||
| Registry | Registry | |||
| IANA has added the following entries to the "Connection Protocol | IANA has added the following entries to the "Connection Protocol | |||
| Channel Request Names" registry [IANA-SSH-CHANREQ] in the "Secure | Channel Request Names" registry [IANA-SSH-CHANREQ] in the "Secure | |||
| Shell (SSH) Protocol Parameters" registry group [IANA-SSH]. | Shell (SSH) Protocol Parameters" registry group [IANA-SSH]. | |||
| +==============+=======================+ | +==============+=======================+ | |||
| | Request Type | Reference | | | Request Type | Reference | | |||
| +==============+=======================+ | +==============+=======================+ | |||
| | agent-req | RFC 9987, Section 7.2 | | | agent-req | RFC 9987, Section 7.2 | | |||
| +--------------+-----------------------+ | +--------------+-----------------------+ | |||
| Table 6 | Table 10 | |||
| 9.9. Additions to the "Connection Protocol Channel Types" Registry | 9.9. Additions to the "Connection Protocol Channel Types" Registry | |||
| IANA has added the following entries to the "Connection Protocol | IANA has added the following entries to the "Connection Protocol | |||
| Channel Types" registry [IANA-SSH-CHANTYPE] under the "Secure Shell | Channel Types" registry [IANA-SSH-CHANTYPE] under the "Secure Shell | |||
| (SSH) Protocol Parameters" registry group [IANA-SSH]. | (SSH) Protocol Parameters" registry group [IANA-SSH]. | |||
| +===============+=======================+ | +===============+=======================+ | |||
| | Channel Type | Reference | | | Channel Type | Reference | | |||
| +===============+=======================+ | +===============+=======================+ | |||
| | agent-connect | RFC 9987, Section 7.3 | | | agent-connect | RFC 9987, Section 7.3 | | |||
| +---------------+-----------------------+ | +---------------+-----------------------+ | |||
| Table 7 | Table 11 | |||
| 10. Security Considerations | 10. Security Considerations | |||
| The agent is a service that is tasked with retaining and providing | The agent is a service that is tasked with retaining and providing | |||
| controlled access to what are typically long-lived login | controlled access to what are typically long-lived login | |||
| authentication credentials. It is, by nature, a sensitive and | authentication credentials. It is, by nature, a sensitive and | |||
| trusted software component. Moreover, the agent protocol itself does | trusted software component. Moreover, the agent protocol itself does | |||
| not include any authentication or transport security; ability to | not include any authentication or transport security; ability to | |||
| communicate with an agent is usually sufficient to invoke it to | communicate with an agent is usually sufficient to invoke it to | |||
| perform private key operations. | perform private key operations. | |||
| End of changes. 11 change blocks. | ||||
| 30 lines changed or deleted | 65 lines changed or added | |||
This html diff was produced by rfcdiff 1.48. | ||||