openssh bugs - Aug 2023 - [Bug 3597] New: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?

https://bugzilla.mindrot.org/show_bug.cgi?id=3597

            Bug ID: 3597
           Summary: Why do we check both nsession_ids and
                    remote_add_provider when judging whether allow remote
                    addition of FIDO/PKCS11 provider libraries is
                    disabled?
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Windows 10
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmsh1216 at 163.com

Disallow remote addition of FIDO/PKCS11 provider libraries to ssh-agent
by default is introducted in the commit:
https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a

In my opinion, it is unnecessary for us to check the value of
nsession_ids, because nsession_ids is used to count the number of the
connections which are opened via "session-bind at openssh.com" agent
extension. 
```
if (e->nsession_ids != 0 && !remote_add_provider) {
        verbose("failed add of SK provider \"%.100s\": "
            "remote addition of providers is disabled",
            sk_provider);
        goto out;
}
```
Please tell me the reason.
Thanks a lot.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3597

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
remote_add_provider indicates whether the user has allowed remote
ssh-agent clients to add PKCS#11 providers.

e->nsession_ids>0 indicates that a session is actually remote. A local
session will have e->nsession_ids=0.

See process_ext_session_bind() in ssh-agent.c and the corresponding
authfd.c:ssh_agent_bind_hostkey() code that is called from ssh's
clientloop.c:client_request_agent().

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3597

--- Comment #2 from renmingshuai <rmsh1216 at 163.com> ---
(In reply to Damien Miller from comment #1)
> remote_add_provider indicates whether the user has allowed remote
> ssh-agent clients to add PKCS#11 providers.
> 
> e->nsession_ids>0 indicates that a session is actually remote. A
> local session will have e->nsession_ids=0.
> 
> See process_ext_session_bind() in ssh-agent.c and the corresponding
> authfd.c:ssh_agent_bind_hostkey() code that is called from ssh's
> clientloop.c:client_request_agent().
Thanks, I get it.
Besides, e->nsession_ids was introduced in openssh-8.9p1. For lower
version, before openssh-8.9p1, only checking the value of
remote_add_provider is stricter, although it may cause some problems
else.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3597

--- Comment #3 from Damien Miller <djm at mindrot.org>
---
> For lower version, before openssh-8.9p1, only checking the 
> value of remote_add_provider is stricter, although it may 
> cause some problems else.
That won't work. Older versions have no way of telling whether a socket
is local or remote, so testing remote_add_provider alone would simply
ban all PKCS#11 loading.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.