bugzilla-daemon at bugzilla.mindrot.org
2009-Jun-20 23:41 UTC
[Bug 1612] New: ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Summary: ssh-add should not discard constraints if the agent fails to implement them Product: Portable OpenSSH Version: 5.2p1 Platform: Other OS/Version: Linux Status: NEW Severity: normal Priority: P2 Component: ssh-add AssignedTo: unassigned-bugs at mindrot.org ReportedBy: dkg at fifthhorseman.net Created an attachment (id=1652) --> (http://bugzilla.mindrot.org/attachment.cgi?id=1652) ssh-add should not retry key addition without constraints if constraints fail. When ssh-add tries to add a key to the agent with constraints, and the agent rejects the addition, ssh-add appears to retry the addition without constraints. This is dangerous behavior when the agent does not support certain constraints. For example, if a user uses an agent (such as the current ssh-agent implementation in gnome-keyring) that does not support confirmation or maximum lifetime, then using: ssh-add -t 3600 will print an error message but then proceed to re-add the key withut the constrained lifetime. this causes the agent to retain the key far past the specified time, an explicit contravention of the user's declared intent. I expect more conservative behavior from openssh when handling sensitive material. Discarding the constraint and retrying should be a choice left to the user, not taken automatically by ssh-add. the attached patch should fix this behavior. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 02:09 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Blocks| |1626 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-27 00:24 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #1652|0 |1 is obsolete| | --- Comment #1 from Damien Miller <djm at mindrot.org> 2009-08-27 10:24:56 EST --- Created an attachment (id=1674) Revised patch With your patch, we can garbage collect ssh_add_identity() since nothing calls it anymore. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-27 17:45 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |FIXED --- Comment #2 from Damien Miller <djm at mindrot.org> 2009-08-28 03:45:08 EST --- Patch applied, this will be in openssh-5.4 -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:02 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #3 from Damien Miller <djm at mindrot.org> 2009-10-06 15:02:22 EST --- Mass move of RESOLVED bugs to CLOSED now that 5.3 is out. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 19:55 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 --- Comment #4 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 2009-10-07 06:55:57 EST --- Sorry, but the patch doesn't seem to present in the 5.3p1 tarball, and it also does not appear to be applied to the head of CVS (where i'd expect it to be for 5.4, which is not yet out). I'm probably misunderstanding some piece of the workflow, but this doesn't look resolved to me. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 21:18 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 Darren Tucker <dtucker at zip.com.au> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at zip.com.au --- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2009-10-07 08:18:42 EST --- It's been committed to OpenBSD but not yet synced to portable (we weren't syncing HEAD while we were working on the 5.3p1 release). Now that 5.3 is out we'll start pulling the changes in again. See for example: http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfd.c -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:51 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2010-03-26 10:51:09 EST --- With the release of 5.4p1, this bug is now considered closed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- [Bug 3752] New: ssh agent with host constraints fails creating a signature
- [Bug 1663] New: Allow to use agent for distribution of public keys.
- [Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates
- [Bug 1512] New: Only a single smartcard/PIN is supported by the ssh-agent