openssh bugs - Mar 2014 - [Bug 2216] New: allow forwarding a different socket than SSH_AUTH_SOCK

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

            Bug ID: 2216
           Summary: allow forwarding a different socket than SSH_AUTH_SOCK
           Product: Portable OpenSSH
           Version: 6.5p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: chrysn at fsfe.org

when a user has different ssh agents running, or is using
ssh-agent-filter[1], it is desirable to use one ssh agent for
authenticating against the remote server, but to forward another one.

ssh could have a `ForwardAgentSocket` option, which specifies a
different socket, and defaults to `${SSH_AUTH_SOCK}`. whether it's
feasible to evaluate variables in that option (so a user could put
`Host * / ForwardAgentSocket ${SSH_AUTH_SOCK_ONLYGITKEYS}` in a git
config) is up to the way the config file is handled. the option should
be accepted by `-o` too.

together with ssh-agent-filter, or by running separate agents for work
and linux, this would solve the bug #1937 without further workarounds.

[1] https://github.com/tiwe-de/ssh-agent-filter

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

--- Comment #1 from chrysn at fsfe.org ---
given that forwarding generic unix sockets is possible since 6.7, this
can *almost* be done by hand yet. what is missing is the possibility to
determine a writable location on the remote server (as $HOME can not be
expanded beforehand), and a way of setting that writable location as an
environment variable.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

daniel.black at au.ibm.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |daniel.black at au.ibm.com

--- Comment #2 from daniel.black at au.ibm.com ---
Does IdentityAgent support this requirement along with port forwarding
now?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

--- Comment #3 from chrysn at fsfe.org ---
Not as far as I can tell from the documentation. IdentityAgent still
does not allow a distinction between the agent that is used for
authentication and the agent that is forwarded.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

--- Comment #4 from Daniel Black <daniel at linux.vnet.ibm.com> ---
Apologies, missed that distinction.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

Jasper Wallace <jasper at arcolaenergy.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jasper at arcolaenergy.com
           See Also|                            |https://bugzilla.mindrot.or
                   |                            |g/show_bug.cgi?id=1937

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

Andr?s Korn <korn-mindrot.org at elan.rulez.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |korn-mindrot.org at elan.rulez
                   |                            |.org

--- Comment #5 from Andr?s Korn <korn-mindrot.org at elan.rulez.org> ---
*** Bug 3106 has been marked as a duplicate of this bug. ***

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
                 CC|                            |djm at mindrot.org
             Blocks|                            |3079
             Status|NEW                         |RESOLVED

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
This has been implemented and will be in the openssh-8.2 release:


commit 40be78f503277bd91c958fa25ea9ef918a2ffd3d
Author: djm at openbsd.org <djm at openbsd.org>
Date:   Sat Dec 21 02:19:13 2019 +0000

    upstream: Allow forwarding a different agent socket to the path

    specified by $SSH_AUTH_SOCK, by extending the existing ForwardAgent
option to
    accepting an explicit path or the name of an environment variable
in addition
    to yes/no.

    Patch by Eric Chiang, manpage by me; ok markus@

    OpenBSD-Commit-ID: 98f2ed80bf34ea54d8b2ddd19ac14ebbf40e9265


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3079
[Bug 3079] Tracking bug for 8.2 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2216

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #7 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.