Attachment 3087 Details for Bug 1937 – prefer to forward SSH_AUTH_SOCK_FORWARD if present

[patch] prefer to forward SSH_AUTH_SOCK_FORWARD if present

bz1937.diff (text/plain), 5.34 KB, created by Damien Miller on 2017-11-10 13:27:43 AEDT

(hide)

Description:

Filename:

MIME Type:

Creator: Damien Miller

Created: 2017-11-10 13:27:43 AEDT

Size: 5.34 KB

patch

obsolete

>commit 12384d1a24203509a457d10cbf05e0192b4198c9
>Author: Damien Miller <djm@mindrot.org>
>Date:   Fri Nov 10 13:26:53 2017 +1100
>
>    bz1937
>
>diff --git a/authfd.c b/authfd.c
>index ebb0d59..80e8ef6 100644
>--- a/authfd.c
>+++ b/authfd.c
>@@ -81,20 +81,15 @@ decode_reply(u_char type)
> }
> 
> /* Returns the number of the authentication fd, or -1 if there is none. */
>-int
>-ssh_get_authentication_socket(int *fdp)
>+static int
>+open_authentication_socket(const char *authsocket, int *fdp)
> {
>-	const char *authsocket;
> 	int sock, oerrno;
> 	struct sockaddr_un sunaddr;
> 
> 	if (fdp != NULL)
> 		*fdp = -1;
> 
>-	authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
>-	if (!authsocket)
>-		return SSH_ERR_AGENT_NOT_PRESENT;
>-
> 	memset(&sunaddr, 0, sizeof(sunaddr));
> 	sunaddr.sun_family = AF_UNIX;
> 	strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
>@@ -117,6 +112,32 @@ ssh_get_authentication_socket(int *fdp)
> 	return 0;
> }
> 
>+static int
>+authentication_socket_by_env(const char *envname, int *fdp)
>+{
>+	const char *authsocket;
>+
>+	if (fdp != NULL)
>+		*fdp = -1;
>+
>+	if ((authsocket = getenv(envname)) == NULL)
>+		return SSH_ERR_AGENT_NOT_PRESENT;
>+
>+	return open_authentication_socket(authsocket, fdp);
>+}
>+
>+int
>+ssh_get_authentication_socket(int *fdp)
>+{
>+	return authentication_socket_by_env(SSH_AUTHSOCKET_ENV_NAME, fdp);
>+}
>+
>+int
>+ssh_get_forwarding_authentication_socket(int *fdp)
>+{
>+	return authentication_socket_by_env(SSH_AUTHSOCKET_FWD_ENV_NAME, fdp);
>+}
>+
> /* Communicate with agent: send request and read reply */
> static int
> ssh_request_reply(int sock, struct sshbuf *request, struct sshbuf *reply)
>diff --git a/authfd.h b/authfd.h
>index 43abf85..f7e0026 100644
>--- a/authfd.h
>+++ b/authfd.h
>@@ -26,6 +26,8 @@ struct ssh_identitylist {
> int	ssh_get_authentication_socket(int *fdp);
> void	ssh_close_authentication_socket(int sock);
> 
>+int	ssh_get_forwarding_authentication_socket(int *fdp);
>+
> int	ssh_lock_agent(int sock, int lock, const char *password);
> int	ssh_fetch_identitylist(int sock, struct ssh_identitylist **idlp);
> void	ssh_free_identitylist(struct ssh_identitylist *idl);
>diff --git a/clientloop.c b/clientloop.c
>index 21c976b..c479520 100644
>--- a/clientloop.c
>+++ b/clientloop.c
>@@ -1570,7 +1570,7 @@ static Channel *
> client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
> {
> 	Channel *c = NULL;
>-	int r, sock;
>+	int r, sock = -1;
> 
> 	if (!options.forward_agent) {
> 		error("Warning: ssh server tried agent forwarding.");
>@@ -1578,12 +1578,27 @@ client_request_agent(struct ssh *ssh, const char *request_type, int rchan)
> 		    "malicious server.");
> 		return NULL;
> 	}
>-	if ((r = ssh_get_authentication_socket(&sock)) != 0) {
>+
>+	/* Try forwarding-only agent socket first */
>+	if ((r = ssh_get_forwarding_authentication_socket(&sock)) != 0) {
>+		if (r != SSH_ERR_AGENT_NOT_PRESENT) {
>+			debug("%s: ssh_get_forwarding_authentication_socket: "
>+			    "%s", __func__, ssh_err(r));
>+			return NULL;
>+		}
>+		debug2("%s: forwarding-only socket not found", __func__);
>+	} else
>+		debug2("%s: using forwarding-only socket", __func__);
>+
>+	/* Fallback to generic agent socket otherwise */
>+	if (sock == -1 && (r = ssh_get_authentication_socket(&sock)) != 0) {
> 		if (r != SSH_ERR_AGENT_NOT_PRESENT)
> 			debug("%s: ssh_get_authentication_socket: %s",
> 			    __func__, ssh_err(r));
> 		return NULL;
>-	}
>+	} else
>+		debug2("%s: using generic agent socket", __func__);
>+
> 	c = channel_new(ssh, "authentication agent connection",
> 	    SSH_CHANNEL_OPEN, sock, sock, -1,
> 	    CHAN_X11_WINDOW_DEFAULT, CHAN_TCP_PACKET_DEFAULT, 0,
>diff --git a/ssh.1 b/ssh.1
>index 9de2a11..e7d5568 100644
>--- a/ssh.1
>+++ b/ssh.1
>@@ -1163,7 +1163,7 @@ connections carry this cookie and replace it by the real cookie when
> the connection is opened.
> The real authentication cookie is never
> sent to the server machine (and no cookies are sent in the plain).
>-.Pp
>+.Sh AGENT FORWARDING
> If the
> .Cm ForwardAgent
> variable is set to
>@@ -1172,9 +1172,26 @@ variable is set to
> .Fl A
> and
> .Fl a
>-options above) and
>-the user is using an authentication agent, the connection to the agent
>-is automatically forwarded to the remote side.
>+options above) and the user is using an authentication agent such as
>+.Xr ssh-agent 1 ,
>+the connection to the agent is automatically forwarded to the remote side.
>+.Pp
>+When an agent is forwarded, any keys it holds will be available to
>+authenticate connections made from the remote host.
>+Care should therefore be taken to forward agents only to trusted hosts.
>+.Pp
>+When forwarding an agent to the remote side,
>+.Nm
>+first attempts to contact the agent identified by the
>+.Ev SSH_AUTH_SOCK_FORWARD
>+environment variable.
>+If this variable is not set, then
>+.Nm
>+will attempt to forward the agent's located at the default path
>+.Ev SSH_AUTH_SOCK .
>+This permits
>+.Nm
>+to optionally forward a different agent to the one used for authentication.
> .Sh VERIFYING HOST KEYS
> When connecting to a server for the first time,
> a fingerprint of the server's public key is presented to the user
>diff --git a/ssh.h b/ssh.h
>index d34454b..e92c8c6 100644
>--- a/ssh.h
>+++ b/ssh.h
>@@ -69,6 +69,12 @@
>  */
> #define SSH_AUTHSOCKET_ENV_NAME "SSH_AUTH_SOCK"
> 
>+/*
>+ * Name of the environment variable containing the pathname of the
>+ * authentication socket that is preferred for forwarding.
>+ */
>+#define SSH_AUTHSOCKET_FWD_ENV_NAME "SSH_AUTH_SOCK_FORWARD"
>+
> /*
>  * Environment variable for overwriting the default location of askpass
>  */

Actions: View | Diff

Attachments on bug 1937: 3087