openssh bugs - Feb 2021 - [Bug 3264] New: ForwardAgent inactive socket with values not in (yes, no)

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

            Bug ID: 3264
           Summary: ForwardAgent inactive socket with values not in (yes,
                    no)
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: sev+ssh-bugs at sev.monster

I noticed after making a typo in my ssh_config that if one sets the
ForwardAgent option to a value other than yes or no, a socket is still
created on the destination, but that socket does not respond.

To test, I started `ssh-agent -d', set SSH_AUTH_SOCK, added a key, and
ran these commands:

    % ssh -o ForwardAgent=yrs 10.0.0.1 ssh-add -l
    % ssh -o ForwardAgent=yes 10.0.0.1 ssh-add -l

In both cases, the output is the same until the 'ssh-agent -l' command
is run:

    OpenSSH_8.4p1, OpenSSL 1.1.1i  8 Dec 2020
    ...
    debug1: Requesting authentication agent forwarding.
    ...
    debug1: Sending command: ssh-add -l
    debug1: client_input_channel_open: ctype auth-agent at openssh.com
rchan 2 win 65536 max 16384

At this point, the output diverges. For ForwardAgent=yrs:

    debug1: client_request_agent: ssh_get_authentication_socket: No
such file or directory
    debug1: failure auth-agent at openssh.com
    error fetching identities: communication with agent failed

It can be seen that ssh-agent is not outputting debug information
showing that it has received activity on the client machine's socket.
For the correct ForwardAgent=yes:

    debug1: channel 1: new [authentication agent connection]
    debug1: confirm auth-agent at openssh.com
    debug2: fd 4 setting O_NONBLOCK
    debug1: process_message: socket 1 (fd=4) type 11
    debug1: channel 1: FORCE input drain
    2048 SHA256:4c82f66aac74743b56154b7a06b6b91297ece749326
/home/user/.ssh/id_rsa (RSA)
    ...

I am using OpenSSH 8.4p1 compiled against musl on Alpine Linux, should
that make a difference. I do not believe there are any patches being
applied that would have anything to do with this bug.

Regards.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

Sev <sev+ssh-bugs at sev.monster> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |sev+ssh-bugs at sev.monster

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |3217
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This behaviour is intentional as this option accepts arbitrary path
names as argument:
>  ForwardAgent
>     Specifies whether the connection to the authentication agent (if
>     any) will be forwarded to the remote machine.  The argument may
>     be yes, no (the default), an explicit path to an agent socket or
>     the name of an environment variable (beginning with ?$?) in which
>     to find the path.
Though perhaps ssh should warn in cases that the specified agent socket
does not exist


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3217
[Bug 3217] Tracking bug for 8.5 release
-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
OpenSSH 8.5 will warn in this case:

[djm at tiresias ssh]$ ./ssh/obj/ssh -Snone -oForwardAgent=xxx hades
Cannot forward agent socket path "xxx": No such file or directory

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

--- Comment #3 from Sev <sev+ssh-bugs at sev.monster>
---
> This behaviour is intentional as this option accepts arbitrary path
> names as argument
I was sure to read ssh_config(5) but somehow I completely skipped over
this usage. In hindsight the error and the man page make perfect sense.
> OpenSSH 8.5 will warn in this case
Given my situation, of course I agree that it's the right decision to
make it more obvious. Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3264

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
close bugs that were resolved in OpenSSH 8.5 release cycle

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.