bugzilla-daemon at bugzilla.mindrot.org
2009-Jun-20 23:41 UTC
[Bug 1612] New: ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Summary: ssh-add should not discard constraints if the agent
fails to implement them
Product: Portable OpenSSH
Version: 5.2p1
Platform: Other
OS/Version: Linux
Status: NEW
Severity: normal
Priority: P2
Component: ssh-add
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: dkg at fifthhorseman.net
Created an attachment (id=1652)
--> (http://bugzilla.mindrot.org/attachment.cgi?id=1652)
ssh-add should not retry key addition without constraints if
constraints fail.
When ssh-add tries to add a key to the agent with constraints, and the
agent rejects the addition, ssh-add appears to retry the addition
without constraints.
This is dangerous behavior when the agent does not support certain
constraints. For example, if a user uses an agent (such as the current
ssh-agent implementation in gnome-keyring) that does not support
confirmation or maximum lifetime, then using:
ssh-add -t 3600
will print an error message but then proceed to re-add the key withut
the constrained lifetime. this causes the agent to retain the key far
past the specified time, an explicit contravention of the user's
declared intent.
I expect more conservative behavior from openssh when handling
sensitive material. Discarding the constraint and retrying should be a
choice left to the user, not taken automatically by ssh-add.
the attached patch should fix this behavior.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Jul-31 02:09 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
Blocks| |1626
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-27 00:24 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #1652|0 |1
is obsolete| |
--- Comment #1 from Damien Miller <djm at mindrot.org> 2009-08-27 10:24:56
EST ---
Created an attachment (id=1674)
Revised patch
With your patch, we can garbage collect ssh_add_identity() since
nothing calls it anymore.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Aug-27 17:45 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |FIXED
--- Comment #2 from Damien Miller <djm at mindrot.org> 2009-08-28 03:45:08
EST ---
Patch applied, this will be in openssh-5.4
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 04:02 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #3 from Damien Miller <djm at mindrot.org> 2009-10-06 15:02:22
EST ---
Mass move of RESOLVED bugs to CLOSED now that 5.3 is out.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 19:55 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 --- Comment #4 from Daniel Kahn Gillmor <dkg at fifthhorseman.net> 2009-10-07 06:55:57 EST --- Sorry, but the patch doesn't seem to present in the 5.3p1 tarball, and it also does not appear to be applied to the head of CVS (where i'd expect it to be for 5.4, which is not yet out). I'm probably misunderstanding some piece of the workflow, but this doesn't look resolved to me. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2009-Oct-06 21:18 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612
Darren Tucker <dtucker at zip.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at zip.com.au
--- Comment #5 from Darren Tucker <dtucker at zip.com.au> 2009-10-07
08:18:42 EST ---
It's been committed to OpenBSD but not yet synced to portable (we
weren't syncing HEAD while we were working on the 5.3p1 release). Now
that 5.3 is out we'll start pulling the changes in again.
See for example:
http://www.openbsd.org/cgi-bin/cvsweb/src/usr.bin/ssh/authfd.c
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2010-Mar-25 23:51 UTC
[Bug 1612] ssh-add should not discard constraints if the agent fails to implement them
https://bugzilla.mindrot.org/show_bug.cgi?id=1612 --- Comment #6 from Darren Tucker <dtucker at zip.com.au> 2010-03-26 10:51:09 EST --- With the release of 5.4p1, this bug is now considered closed. -- Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Reasonably Related Threads
- [Bug 1506] New: rationalize agent behavior on smartcard removal/reattachment
- [Bug 3752] New: ssh agent with host constraints fails creating a signature
- [Bug 1663] New: Allow to use agent for distribution of public keys.
- [Bug 1498] New: OpenSC smartcard access should use raw public keys, not X.509 certificates
- [Bug 1512] New: Only a single smartcard/PIN is supported by the ssh-agent