3264 – ForwardAgent inactive socket with values not in (yes, no)

Bug 3264 - ForwardAgent inactive socket with values not in (yes, no)

Summary: ForwardAgent inactive socket with values not in (yes, no)

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	8.4p1
Hardware:	amd64 Linux

Importance:	P5 trivial
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_8_5
	Show dependency tree / graph

Reported:	2021-02-23 06:06 AEDT by Sev
Modified:	2021-03-04 09:52 AEDT (History)
CC List:	2 users (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sev 2021-02-23 06:06:56 AEDT

I noticed after making a typo in my ssh_config that if one sets the ForwardAgent option to a value other than yes or no, a socket is still created on the destination, but that socket does not respond.

To test, I started `ssh-agent -d', set SSH_AUTH_SOCK, added a key, and ran these commands:

    % ssh -o ForwardAgent=yrs 10.0.0.1 ssh-add -l
    % ssh -o ForwardAgent=yes 10.0.0.1 ssh-add -l

In both cases, the output is the same until the 'ssh-agent -l' command is run:

    OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
    ...
    debug1: Requesting authentication agent forwarding.
    ...
    debug1: Sending command: ssh-add -l
    debug1: client_input_channel_open: ctype auth-agent@openssh.com rchan 2 win 65536 max 16384

At this point, the output diverges. For ForwardAgent=yrs:

    debug1: client_request_agent: ssh_get_authentication_socket: No such file or directory
    debug1: failure auth-agent@openssh.com
    error fetching identities: communication with agent failed

It can be seen that ssh-agent is not outputting debug information showing that it has received activity on the client machine's socket.
For the correct ForwardAgent=yes:

    debug1: channel 1: new [authentication agent connection]
    debug1: confirm auth-agent@openssh.com
    debug2: fd 4 setting O_NONBLOCK
    debug1: process_message: socket 1 (fd=4) type 11
    debug1: channel 1: FORCE input drain
    2048 SHA256:4c82f66aac74743b56154b7a06b6b91297ece749326 /home/user/.ssh/id_rsa (RSA)
    ...

I am using OpenSSH 8.4p1 compiled against musl on Alpine Linux, should that make a difference. I do not believe there are any patches being applied that would have anything to do with this bug.

Regards.

Comment 1 Damien Miller 2021-02-23 11:06:20 AEDT

This behaviour is intentional as this option accepts arbitrary path names as argument:

>  ForwardAgent
>     Specifies whether the connection to the authentication agent (if
>     any) will be forwarded to the remote machine.  The argument may
>     be yes, no (the default), an explicit path to an agent socket or
>     the name of an environment variable (beginning with ‘$’) in which
>     to find the path.

Though perhaps ssh should warn in cases that the specified agent socket does not exist

Comment 2 Damien Miller 2021-02-23 11:07:42 AEDT

OpenSSH 8.5 will warn in this case:

[djm@tiresias ssh]$ ./ssh/obj/ssh -Snone -oForwardAgent=xxx hades
Cannot forward agent socket path "xxx": No such file or directory

Comment 3 Sev 2021-02-23 11:27:12 AEDT

> This behaviour is intentional as this option accepts arbitrary path
> names as argument

I was sure to read ssh_config(5) but somehow I completely skipped over this usage. In hindsight the error and the man page make perfect sense.

> OpenSSH 8.5 will warn in this case

Given my situation, of course I agree that it's the right decision to make it more obvious. Thanks.

Comment 4 Damien Miller 2021-03-04 09:52:17 AEDT

close bugs that were resolved in OpenSSH 8.5 release cycle