| Summary: | ForwardAgent inactive socket with values not in (yes, no) | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Sev <sev+ssh-bugs> |
| Component: | ssh | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | trivial | CC: | djm, sev+ssh-bugs |
| Priority: | P5 | ||
| Version: | 8.4p1 | ||
| Hardware: | amd64 | ||
| OS: | Linux | ||
| Bug Depends on: | |||
| Bug Blocks: | 3217 | ||
This behaviour is intentional as this option accepts arbitrary path names as argument:
> ForwardAgent
> Specifies whether the connection to the authentication agent (if
> any) will be forwarded to the remote machine. The argument may
> be yes, no (the default), an explicit path to an agent socket or
> the name of an environment variable (beginning with ‘$’) in which
> to find the path.
Though perhaps ssh should warn in cases that the specified agent socket does not exist
OpenSSH 8.5 will warn in this case: [djm@tiresias ssh]$ ./ssh/obj/ssh -Snone -oForwardAgent=xxx hades Cannot forward agent socket path "xxx": No such file or directory > This behaviour is intentional as this option accepts arbitrary path > names as argument I was sure to read ssh_config(5) but somehow I completely skipped over this usage. In hindsight the error and the man page make perfect sense. > OpenSSH 8.5 will warn in this case Given my situation, of course I agree that it's the right decision to make it more obvious. Thanks. close bugs that were resolved in OpenSSH 8.5 release cycle |
I noticed after making a typo in my ssh_config that if one sets the ForwardAgent option to a value other than yes or no, a socket is still created on the destination, but that socket does not respond. To test, I started `ssh-agent -d', set SSH_AUTH_SOCK, added a key, and ran these commands: % ssh -o ForwardAgent=yrs 10.0.0.1 ssh-add -l % ssh -o ForwardAgent=yes 10.0.0.1 ssh-add -l In both cases, the output is the same until the 'ssh-agent -l' command is run: OpenSSH_8.4p1, OpenSSL 1.1.1i 8 Dec 2020 ... debug1: Requesting authentication agent forwarding. ... debug1: Sending command: ssh-add -l debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384 At this point, the output diverges. For ForwardAgent=yrs: debug1: client_request_agent: ssh_get_authentication_socket: No such file or directory debug1: failure auth-agent@openssh.com error fetching identities: communication with agent failed It can be seen that ssh-agent is not outputting debug information showing that it has received activity on the client machine's socket. For the correct ForwardAgent=yes: debug1: channel 1: new [authentication agent connection] debug1: confirm auth-agent@openssh.com debug2: fd 4 setting O_NONBLOCK debug1: process_message: socket 1 (fd=4) type 11 debug1: channel 1: FORCE input drain 2048 SHA256:4c82f66aac74743b56154b7a06b6b91297ece749326 /home/user/.ssh/id_rsa (RSA) ... I am using OpenSSH 8.4p1 compiled against musl on Alpine Linux, should that make a difference. I do not believe there are any patches being applied that would have anything to do with this bug. Regards.