Bug 2912 - ssh keeps connection open to ssh-agent for lifetime of connection
Summary: ssh keeps connection open to ssh-agent for lifetime of connection
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.6p1
Hardware: All Linux
: P5 normal
Assignee: Damien Miller
URL:
Keywords:
Depends on:
Blocks: V_8_0
  Show dependency treegraph
 
Reported: 2018-10-03 16:19 AEST by Simon Tatham
Modified: 2021-10-14 01:40 AEDT (History)
3 users (show)

See Also:

Attachments
close agent socket after authentication (1.12 KB, patch)
2018-10-09 10:19 AEDT, Damien Miller 		dtucker: ok+
Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Tatham 2018-10-03 16:19:01 AEST 
When ssh authenticates to a server using ssh-agent, it seems to open a single socket to talk to the agent, and cache it so that it can keep using the same socket for all agent requests needed during the userauth phase.

At the end of the userauth phase, it doesn't close that socket. So the ssh client program continues to have a connection open to the authentication agent for the entire lifetime of the SSH session, even if that session is not doing agent forwarding.

I can't think of any reason why that agent connection is still useful after userauth finishes, and leaving it open is mildly inconvenient in the following scenario (which is how I noticed it):

* ssh from host A to host B, with agent forwarding
* on host B, run tmux or GNU screen
* inside the screen, ssh from host B to host C (without agent forwarding), authenticating via the agent forwarded from A
* detach the tmux session from the terminal and attempt to log out of host B, leaving the ssh from B to C still running inside tmux

In this situation, the ssh client on A does not terminate when the "session" channel closes, because there's still another channel open, namely the connection to ssh-agent on A forwarded from the ssh client running on B. If ssh on B had closed its agent connection once the userauth phase had finished, this would all work fine.

But aside from the mild inconvenience, is it possible that this might also be (slightly) relevant to security? It's not a vulnerability in its own right, but if an attacker *were* to subvert the SSH client through the connection protocol in some way, it would be better if it wasn't holding an unnecessary high-value resource such as a trusted socket to a signing agent. Closing such a socket once it's no longer needed seems to me like another application of the same principle of safety as dropping privilege on the server side.

(Observed on ssh 7.4p1 on Debian, 7.6p1 on Ubuntu 18.04, and commit a46ac4d86 in the repository at https://github.com/openssh/openssh-portable.)
Comment 1 Damien Miller 2018-10-09 10:19:13 AEDT 
Created attachment 3189 [details]
close agent socket after authentication

It's supposed to close the agent socket, but it wasn't happening because of a bug. Here's a fix.
Comment 2 Damien Miller 2018-11-09 14:39:55 AEDT 
Comment on attachment 3189 [details]
close agent socket after authentication

The problem here is that pubkey_prepare() was setting authctxt.agent_fd, but it was then being clobbered by the subsequent authctxt preparation in ssh_userauth2().

The fix moves the pubkey_prepare() call down to after the preparation of authctxt is complete and also adds some cleanup of agent_fd after it is closed.
Comment 3 Damien Miller 2018-11-16 13:46:40 AEDT 
fix is committed and will be in openssh-8.0. Thanks!
Comment 4 Damien Miller 2020-02-14 15:59:16 AEDT 
Closing all resolved bug with release of openssh-8.2
Comment 5 Ahmed Sayeed 2021-10-14 01:40:33 AEDT 
[spam removed]