First steps to add an authenticated key agreement protocol (private branch).

Damien Miller djm at
Mon Nov 9 14:03:05 AEDT 2015

On Sat, 7 Nov 2015, Ross Snider wrote:

> Starting by following Damian Miller's commit
> 1e1242604eb0fd510fe93f81245c529237ffc513 I have been trying to
> understand where precisely to include additional ciphers into my
> server and client cipherlists for handshake (this commit is the start
> of ed25519 support).
> I have looked at the diff of myproposal.h and also the 25519
> implementation.
> I do not see where the implementation is mapped to the canonical name
> string so that it can be included in client code (ssh/sshd.c).
> Does anyone have experience or a tutorial on the various areas of code
> that link key exchange, EVP structs and other function pointer, and
> the handshake process all together?

What algorithms are you referring to?

If you mean ciphers, then the name/cipher mapping is done by the
ciphers[] array in ciphers.c.

If you mean key exchange algorithms, then it's more tricky.

The kexalgs[] array in kex.c handles name/number lookup. The client
and server need to implement handlers for each side of the key
exchange, these are setup in sshconnect2.c:ssh_kex2() (client) and
sshd.c:do_ssh2_kex() (server).

For each key exchange method, there is one file containing the
client side of the exchange, another for the server part and one for
shared stuff - usually the exchange hash. For curve25519, these are
kexc25519c.c, kexc25519s.c and kexc25519.c respectively.

An authenticated key exchange sounds like it might be fairly tricky
to implement. What are the keys and how are they managed? What's being
authenticated - server->client or both?

Also, if the AKE does do client->server authentication, then how does
it coexist with the existing authentication system? It would need to
work nicely with multiple authentication, etc.


More information about the openssh-unix-dev mailing list