openssh bugs - Oct 2016 - [Bug 2621] New: ControlMaster started by scp (non-ssh?) doesn't forward agent

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

            Bug ID: 2621
           Summary: ControlMaster started by scp (non-ssh?) doesn't
                    forward agent
           Product: Portable OpenSSH
           Version: 7.3p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: steffen at sdaoden.eu

?0[steffen at wales ]$ scp ... ...
  ...
  ?0[steffen at wales ]$ ssh ...
  ...
  * [steffen at ...]$ ssh-add -l
  Could not open a connection to your authentication agent.
  * [steffen at ...]$ logout
  Shared connection to ... closed.
  ?0[steffen at wales ]$ ll /tmp/.ssh_...-steffen
  srw------- 1 steffen steffen 0 Sep 28 20:57 /tmp/.ssh_...-steffen  ?0[steffen
at wales ]$ date
  Wed Sep 28 20:57:59 CEST 2016

This is OpenSSH_7.3p1 on client and OpenSSH_7.2p2-hpn14v4 on
server, and the configuration includes "ControlMaster auto" and
"ForwardAgent yes".

This could be related to "Allow agent forwarding in sftp &
scp"[1].

  [1] https://bugzilla.mindrot.org/show_bug.cgi?id=831

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

Matthijs Kooijman <matthijs at stdin.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |matthijs at stdin.nl

--- Comment #1 from Matthijs Kooijman <matthijs at stdin.nl> ---
This seems a more general problem: Agent forwarding seems only to
happen when starting a new ControlMaster. If ssh re-uses an existing
ControlMaster, the -A option seems to be (silently!) ignored:

Passing -A to the master works:

matthijs at grubby:~$ ssh tika-login -o ControlMaster=yes -o
ControlPath=/tmp/foo -A
matthijs at login:~$ echo $SSH_AUTH_SOCK
/tmp/ssh-Kmwf42CH18/agent.3830
matthijs at login:~$ logout
Connection to tikatika.nl closed.

But passing -A to a "slave" ssh does not:

matthijs at grubby:~$ ssh tika-login -o ControlMaster=yes -o
ControlPath=/tmp/foo

And in another terminal:

matthijs at grubby:~$ ssh -o ControlPath=/tmp/foo tika-login -A
matthijs at login:~$ echo $SSH_AUTH_SOCK

matthijs at login:~$ 

I can imagine there's a technical reason to not support this, but then
at least it should be documented and passing -A should show an error or
warning (possibly depending on ExitOnForwardFailure).

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

Matthijs Kooijman <matthijs at stdin.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|ControlMaster started by    |Agent forwarding does not
                   |scp (non-ssh?) doesn't      |work on ControlMaster slave
                   |forward agent               |connections silently ignore
                   |                            |agent forwarding

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

Matthijs Kooijman <matthijs at stdin.nl> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Agent forwarding does not   |ControlMaster slave
                   |work on ControlMaster slave |connections silently ignore
                   |connections silently ignore |agent forwarding
                   |agent forwarding            |

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

--- Comment #2 from Matthijs Kooijman <matthijs at stdin.nl> ---
I originally tested on 7.4p1 from Debian Stretch, and I just tested
7.5p1 from Debian Sid, which shows the same behaviour.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org
            Summary|ControlMaster slave         |ControlMaster started by
                   |connections silently ignore |scp (non-ssh?) doesn't
                   |agent forwarding            |forward agent

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
Agent forwarding is always inherited from the multiplexing master
process. This is documented in sshd_config:
> X11 and ssh-agent(1) forwarding is supported over these multi?
> plexed connections, however the display and agent forwarded will
> be the one belonging to the master connection i.e. it is not pos?
> sible to forward multiple displays or agents.
Putting the original bug title back, because this bug is specific to
scp/sftp's explicit deactivation-by-default of agent forwarding.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

--- Comment #4 from Matthijs Kooijman <matthijs at stdin.nl> ---
Ah, thanks for clarifying, I've must have missed that part in the
manpage. I've created a new bug for showing a warning when this
happens, which does still seem like a valid, but indeed separate issue
to me: https://bugzilla.mindrot.org/show_bug.cgi?id=2780

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2621

Hamish Moffatt <hamish-openssh at moffatt.email> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |hamish-openssh at moffatt.emai
                   |                            |l

--- Comment #5 from Hamish Moffatt <hamish-openssh at moffatt.email> ---
I see in scp.c that -oForwardAgent=no is added to the command line
arguments internally to disable forwarding, but can be overridden.

Would it be helpful to also add -oControlMaster=no so that scp does not
end up creating the control master with agent forwarding disabled?

Alternatively it would be useful if the config file could match against
scp/sftp so that ControlMaster=no could be set for that case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.