openssh bugs - Sep 2011 - [Bug 1936] New: -A command not available from ~C

https://bugzilla.mindrot.org/show_bug.cgi?id=1936

             Bug #: 1936
           Summary: -A command not available from ~C
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: mindrot2 at misc.lka.org.lu


In an active ssh session, it is possible to escape to an internal
command processor using ~C.
This may be used (mainly) to set up port forwarding.

However, it would be useful if it were also possible to switch on (or
off) agent forwarding this way.

Indeed, for security reason, many users prefer not to allow agent
forwarding most of the time, but may occasionally see a need to ssh
from the current server to another server during the session using
agent forwarding. Right now they have to open a new session to do so.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1936

--- Comment #1 from Darren Tucker <dtucker at zip.com.au> 2011-09-12
09:16:49 EST ---
Created attachment 2082
  --> https://bugzilla.mindrot.org/attachment.cgi?id=2082
Allow agent forwarding to be toggled off

I actually implemented this a long time ago as a toggle rather than the
command line processor.  The down side is that you'll get an error
message from the remote end if you use it and then attempt to use agent
forwarding:

Error reading response length from authentication socket.

Note that you can't toggle it on if it was not enabled at connection
establishment since the server needs to set the SSH_AUTH_SOCK
environment variable and have it propagate to the shell, which it can't
do after the shell has started.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1936

Darren Tucker <dtucker at zip.com.au> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at zip.com.au

--- Comment #2 from Darren Tucker <dtucker at zip.com.au> 2011-09-12
09:34:00 EST ---
Actually, we could probably fix the error message by implementing just
enough of the agent protocol to say "nope, no identities here, move
along!".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1936

--- Comment #3 from Darren Tucker <dtucker at zip.com.au> 2011-09-12
10:28:23 EST ---
The other thing you can do is load the key with ssh-add -c to require
confirmation at the time of use.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1936

--- Comment #4 from Alain Knaff <mindrot2 at misc.lka.org.lu> 2011-09-12
18:49:18 EST ---
This would be rather inconvenient if the command needing access to the
key was something like:

for arch in i386 x86_64 arm powerpc; do
  scp huge_source_tree.tar.gz $arch.linux.org:
done

You'd get a confirmation request for each machine. With a toggle
switch, you'd give access before the loop, and remove access after.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.