bugzilla-daemon at mindrot.org
2024-Nov-27 10:51 UTC
[Bug 3758] New: ssh-agent: standard "query" extension not supported
https://bugzilla.mindrot.org/show_bug.cgi?id=3758 Bug ID: 3758 Summary: ssh-agent: standard "query" extension not supported Product: Portable OpenSSH Version: 9.9p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh-agent Assignee: unassigned-bugs at mindrot.org Reporter: m at the13thletter.info The SSH agent spec draft-ietf-sshm-ssh-agent defines an extension mechanism to "[allow] vendor-specific and experimental messages to be sent via the agent protocol". ssh-agent itself offers a message of type "session-bind at openssh.com", however it does not support the standard "query" extension from Section 3.8.1 of the spec. (Issuing a "query" SSH_AGENTC_EXTENSION call to the agent results in an SSH_AGENT_FAILURE. This is the case in 9.9p1, and appears to have been the case ever since introduction of "session-bind at openssh.com" in 8.9p1.) This leads to the unfortunate situation that one cannot discover support of the "session-bind at openssh.com" extension straightforwardly by querying the agent, only by more roundabout means such as issuing the message and observing the success or failure of the call, or inferring support for "session-bind at openssh.com" from the lack of support for the "query" message. My use case: connecting to a running SSH agent -- in a non-SSH context and with a third-party tool -- and checking whether it is OpenSSH's ssh-agent, or PuTTY's Pageant, via the reported list of supported extensions. This is used to infer whether the agent supports RFC 6979 (Pageant) or not (OpenSSH). Querying the supported extensions seems to me to be the "most correct" way. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-27 10:56 UTC
[Bug 3758] ssh-agent: standard "query" extension not supported
https://bugzilla.mindrot.org/show_bug.cgi?id=3758 --- Comment #1 from Marco Ricci <m at the13thletter.info> --- As an aside: PROTOCOL.agent in the source tree still refers to draft-miller-ssh-agent instead of draft-ietf-sshm-ssh-agent. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-27 13:29 UTC
[Bug 3758] ssh-agent: standard "query" extension not supported
https://bugzilla.mindrot.org/show_bug.cgi?id=3758 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |ASSIGNED CC| |djm at mindrot.org Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3844 --> https://bugzilla.mindrot.org/attachment.cgi?id=3844&action=edit Implement query extension The query extension hasn't been implemented because I've received basically no feedback on this section of the draft. Here's an implementation. I'll hold off on committing it until I'm more sure that it's not likely to change through the rest of the IETF process. BTW, I just fixed the link in PROTOCOL.agent - thanks for reminding me. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2024-Nov-27 13:31 UTC
[Bug 3758] ssh-agent: standard "query" extension not supported
https://bugzilla.mindrot.org/show_bug.cgi?id=3758 --- Comment #3 from Damien Miller <djm at mindrot.org> --- BTW, the extension mechanism generally and session-bind in particular are designed to degrade gracefully. I.e. it should be fine to issue a session-bind request without probing the agent first; indeed this is what OpenSSH's ssh client does unconditionally when opening an agent socket for authentication or forwarding. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Seemingly Similar Threads
- Informing the SSH agent of the target user@server
- [Bug 496] add a user-friendly timeout function to ssh-agent
- OpenSSH-2.2.0 problem with ssh.com ssh-agent2
- Using Pageant & Putty under Wine -
- Setting up TortoiseSVN and PuTTY on Windows for r-forge.r-project.org (Was: Re: Using SVN + SSH on windows)