Attachment #3087 for bug #1937

View | Details | Raw Unified | Return to bug 1937
Collapse All | Expand All




}

/* Returns the number of the authentication fd, or -1 if there is none. */
static int
open_authentication_socket(const char *authsocket, int *fdp)
{
	const char *authsocket;
	int sock, oerrno;
	struct sockaddr_un sunaddr;

	if (fdp != NULL)
		*fdp = -1;

	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
	if (!authsocket)
		return SSH_ERR_AGENT_NOT_PRESENT;

	memset(&sunaddr, 0, sizeof(sunaddr));
	sunaddr.sun_family = AF_UNIX;
	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));

	return 0;
}

static int
authentication_socket_by_env(const char *envname, int *fdp)
{
	const char *authsocket;

	if (fdp != NULL)
		*fdp = -1;

	if ((authsocket = getenv(envname)) == NULL)
		return SSH_ERR_AGENT_NOT_PRESENT;

	return open_authentication_socket(authsocket, fdp);
}

int
ssh_get_authentication_socket(int *fdp)
{
	return authentication_socket_by_env(SSH_AUTHSOCKET_ENV_NAME, fdp);
}

int
ssh_get_forwarding_authentication_socket(int *fdp)
{
	return authentication_socket_by_env(SSH_AUTHSOCKET_FWD_ENV_NAME, fdp);
}

/* Communicate with agent: send request and read reply */
static int
ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)

Lines 26-31 struct ssh_identitylist { Link Here

(-)a/authfd.h (+2 lines)
26	int ssh_get_authentication_socket(int *fdp);	26	int ssh_get_authentication_socket(int *fdp);
27	void ssh_close_authentication_socket(int sock);	27	void ssh_close_authentication_socket(int sock);
28		28
		29	int ssh_get_forwarding_authentication_socket(int *fdp);
		30
29	int ssh_lock_agent(int sock, int lock, const char *password);	31	int ssh_lock_agent(int sock, int lock, const char *password);
30	int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);	32	int ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
31	void ssh_free_identitylist(struct ssh_identitylist *idl);	33	void ssh_free_identitylist(struct ssh_identitylist *idl);




client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
{
	Channel *c = NULL;
	int r, sock = -1;

	if (!options.forward_agent) {
		error("Warning: ssh server tried agent forwarding.");

		    "malicious server.");
		return NULL;
	}

	/* Try forwarding-only agent socket first */
	if ((r = ssh_get_forwarding_authentication_socket(&sock)) != 0) {
		if (r != SSH_ERR_AGENT_NOT_PRESENT) {
			debug("%s: ssh_get_forwarding_authentication_socket: "
			    "%s", __func__, ssh_err(r));
			return NULL;
		}
		debug2("%s: forwarding-only socket not found", __func__);
	} else
		debug2("%s: using forwarding-only socket", __func__);

	/* Fallback to generic agent socket otherwise */
	if (sock == -1 && (r = ssh_get_authentication_socket(&sock)) != 0) {
		if (r != SSH_ERR_AGENT_NOT_PRESENT)
			debug("%s: ssh_get_authentication_socket: %s",
			    __func__, ssh_err(r));
		return NULL;
	} else
		debug2("%s: using generic agent socket", __func__);

	c = channel_new(ssh, "authentication agent connection",
	    SSH_CHANNEL_OPEN, sock, sock, -1,
	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,




the connection is opened.
The real authentication cookie is never
sent to the server machine (and no cookies are sent in the plain).
.Sh AGENT FORWARDING
If the
.Cm ForwardAgent
variable is set to

.Fl A
and
.Fl a
options above) and the user is using an authentication agent such as
.Xr ssh-agent 1 ,
the connection to the agent is automatically forwarded to the remote side.
.Pp
When an agent is forwarded, any keys it holds will be available to
authenticate connections made from the remote host.
Care should therefore be taken to forward agents only to trusted hosts.
.Pp
When forwarding an agent to the remote side,
.Nm
first attempts to contact the agent identified by the
.Ev SSH_AUTH_SOCK_FORWARD
environment variable.
If this variable is not set, then
.Nm
will attempt to forward the agent's located at the default path
.Ev SSH_AUTH_SOCK .
This permits
.Nm
to optionally forward a different agent to the one used for authentication.
.Sh VERIFYING HOST KEYS
When connecting to a server for the first time,
a fingerprint of the server's public key is presented to the user

Lines 69-74 Link Here

(-)a/ssh.h (+6 lines)
69	*/	69	*/
70	#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"	70	#define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
71		71
		72	/*
		73	* Name of the environment variable containing the pathname of the
		74	* authentication socket that is preferred for forwarding.
		75	*/
		76	#define SSH_AUTHSOCKET_FWD_ENV_NAME "SSH_AUTH_SOCK_FORWARD"
		77
72	/*	78	/*
73	* Environment variable for overwriting the default location of askpass	79	* Environment variable for overwriting the default location of askpass
74	*/	80	*/

Return to bug 1937

Lines 81-100 decode_reply(u_char type) Link Here

(-)a/authfd.c (-7 / +28 lines)
81	}	81	}
82		82
83	/* Returns the number of the authentication fd, or -1 if there is none. */	83	/* Returns the number of the authentication fd, or -1 if there is none. */
84	int	84	static int
85	ssh_get_authentication_socket(int *fdp)	85	open_authentication_socket(const char authsocket, int fdp)
86	{	86	{
87	const char *authsocket;
88	int sock, oerrno;	87	int sock, oerrno;
89	struct sockaddr_un sunaddr;	88	struct sockaddr_un sunaddr;
90		89
91	if (fdp != NULL)	90	if (fdp != NULL)
92	*fdp = -1;	91	*fdp = -1;
93		92
94	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
95	if (!authsocket)
96	return SSH_ERR_AGENT_NOT_PRESENT;
97
98	memset(&sunaddr, 0, sizeof(sunaddr));	93	memset(&sunaddr, 0, sizeof(sunaddr));
99	sunaddr.sun_family = AF_UNIX;	94	sunaddr.sun_family = AF_UNIX;
100	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));	95	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
Lines 117-122 ssh_get_authentication_socket(int *fdp) Link Here
117	return 0;	112	return 0;
118	}	113	}
119		114
		115	static int
		116	authentication_socket_by_env(const char envname, int fdp)
		117	{
		118	const char *authsocket;
		119
		120	if (fdp != NULL)
		121	*fdp = -1;
		122
		123	if ((authsocket = getenv(envname)) == NULL)
		124	return SSH_ERR_AGENT_NOT_PRESENT;
		125
		126	return open_authentication_socket(authsocket, fdp);
		127	}
		128
		129	int
		130	ssh_get_authentication_socket(int *fdp)
		131	{
		132	return authentication_socket_by_env(SSH_AUTHSOCKET_ENV_NAME, fdp);
		133	}
		134
		135	int
		136	ssh_get_forwarding_authentication_socket(int *fdp)
		137	{
		138	return authentication_socket_by_env(SSH_AUTHSOCKET_FWD_ENV_NAME, fdp);
		139	}
		140
120	/* Communicate with agent: send request and read reply */	141	/* Communicate with agent: send request and read reply */
121	static int	142	static int
122	ssh_request_reply(int sock, struct sshbuf request, struct sshbuf reply)	143	ssh_request_reply(int sock, struct sshbuf request, struct sshbuf reply)

Lines 1570-1576 static Channel * Link Here

(-)a/clientloop.c (-3 / +18 lines)
1570	client_request_agent(struct ssh ssh, const char request_type, int rchan)	1570	client_request_agent(struct ssh ssh, const char request_type, int rchan)
1571	{	1571	{
1572	Channel *c = NULL;	1572	Channel *c = NULL;
1573	int r, sock;	1573	int r, sock = -1;
1574		1574
1575	if (!options.forward_agent) {	1575	if (!options.forward_agent) {
1576	error("Warning: ssh server tried agent forwarding.");	1576	error("Warning: ssh server tried agent forwarding.");
Lines 1578-1589 client_request_agent(struct ssh ssh, const char request_type, int rchan) Link Here
1578	"malicious server.");	1578	"malicious server.");
1579	return NULL;	1579	return NULL;
1580	}	1580	}
1581	if ((r = ssh_get_authentication_socket(&sock)) != 0) {	1581
		1582	/* Try forwarding-only agent socket first */
		1583	if ((r = ssh_get_forwarding_authentication_socket(&sock)) != 0) {
		1584	if (r != SSH_ERR_AGENT_NOT_PRESENT) {
		1585	debug("%s: ssh_get_forwarding_authentication_socket: "
		1586	"%s", __func__, ssh_err(r));
		1587	return NULL;
		1588	}
		1589	debug2("%s: forwarding-only socket not found", __func__);
		1590	} else
		1591	debug2("%s: using forwarding-only socket", __func__);
		1592
		1593	/* Fallback to generic agent socket otherwise */
		1594	if (sock == -1 && (r = ssh_get_authentication_socket(&sock)) != 0) {
1582	if (r != SSH_ERR_AGENT_NOT_PRESENT)	1595	if (r != SSH_ERR_AGENT_NOT_PRESENT)
1583	debug("%s: ssh_get_authentication_socket: %s",	1596	debug("%s: ssh_get_authentication_socket: %s",
1584	__func__, ssh_err(r));	1597	__func__, ssh_err(r));
1585	return NULL;	1598	return NULL;
1586	}	1599	} else
		1600	debug2("%s: using generic agent socket", __func__);
		1601
1587	c = channel_new(ssh, "authentication agent connection",	1602	c = channel_new(ssh, "authentication agent connection",
1588	SSH_CHANNEL_OPEN, sock, sock, -1,	1603	SSH_CHANNEL_OPEN, sock, sock, -1,
1589	CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,	1604	CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,

Lines 1163-1169 connections carry this cookie and replace it by the real cookie when Link Here

(-)a/ssh.1 (-4 / +21 lines)
1163	the connection is opened.	1163	the connection is opened.
1164	The real authentication cookie is never	1164	The real authentication cookie is never
1165	sent to the server machine (and no cookies are sent in the plain).	1165	sent to the server machine (and no cookies are sent in the plain).
1166	.Pp	1166	.Sh AGENT FORWARDING
1167	If the	1167	If the
1168	.Cm ForwardAgent	1168	.Cm ForwardAgent
1169	variable is set to	1169	variable is set to
Lines 1172-1180 variable is set to Link Here
1172	.Fl A	1172	.Fl A
1173	and	1173	and
1174	.Fl a	1174	.Fl a
1175	options above) and	1175	options above) and the user is using an authentication agent such as
1176	the user is using an authentication agent, the connection to the agent	1176	.Xr ssh-agent 1 ,
1177	is automatically forwarded to the remote side.	1177	the connection to the agent is automatically forwarded to the remote side.
		1178	.Pp
		1179	When an agent is forwarded, any keys it holds will be available to
		1180	authenticate connections made from the remote host.
		1181	Care should therefore be taken to forward agents only to trusted hosts.
		1182	.Pp
		1183	When forwarding an agent to the remote side,
		1184	.Nm
		1185	first attempts to contact the agent identified by the
		1186	.Ev SSH_AUTH_SOCK_FORWARD
		1187	environment variable.
		1188	If this variable is not set, then
		1189	.Nm
		1190	will attempt to forward the agent's located at the default path
		1191	.Ev SSH_AUTH_SOCK .
		1192	This permits
		1193	.Nm
		1194	to optionally forward a different agent to the one used for authentication.
1178	.Sh VERIFYING HOST KEYS	1195	.Sh VERIFYING HOST KEYS
1179	When connecting to a server for the first time,	1196	When connecting to a server for the first time,
1180	a fingerprint of the server's public key is presented to the user	1197	a fingerprint of the server's public key is presented to the user