openssh bugs - Nov 2024 - [Bug 3758] New: ssh-agent: standard "query" extension not supported

https://bugzilla.mindrot.org/show_bug.cgi?id=3758

            Bug ID: 3758
           Summary: ssh-agent: standard "query" extension not
supported
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m at the13thletter.info

The SSH agent spec draft-ietf-sshm-ssh-agent defines an extension
mechanism to "[allow] vendor-specific and experimental messages to be
sent via the agent protocol". ssh-agent itself offers a message of type
"session-bind at openssh.com", however it does not support the
standard
"query" extension from Section 3.8.1 of the spec. (Issuing a
"query"
SSH_AGENTC_EXTENSION call to the agent results in an SSH_AGENT_FAILURE.
This is the case in 9.9p1, and appears to have been the case ever since
introduction of "session-bind at openssh.com" in 8.9p1.)

This leads to the unfortunate situation that one cannot discover
support of the "session-bind at openssh.com" extension
straightforwardly
by querying the agent, only by more roundabout means such as issuing
the message and observing the success or failure of the call, or
inferring support for "session-bind at openssh.com" from the lack of
support for the "query" message.

My use case: connecting to a running SSH agent -- in a non-SSH context
and with a third-party tool -- and checking whether it is OpenSSH's
ssh-agent, or PuTTY's Pageant, via the reported list of supported
extensions. This is used to infer whether the agent supports RFC 6979
(Pageant) or not (OpenSSH). Querying the supported extensions seems to
me to be the "most correct" way.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3758

--- Comment #1 from Marco Ricci <m at the13thletter.info> ---
As an aside: PROTOCOL.agent in the source tree still refers to
draft-miller-ssh-agent instead of draft-ietf-sshm-ssh-agent.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3758

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |ASSIGNED
                 CC|                            |djm at mindrot.org
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3844
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3844&action=edit
Implement query extension

The query extension hasn't been implemented because I've received
basically no feedback on this section of the draft.

Here's an implementation. I'll hold off on committing it until I'm
more
sure that it's not likely to change through the rest of the IETF
process.

BTW, I just fixed the link in PROTOCOL.agent - thanks for reminding me.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3758

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
BTW, the extension mechanism generally and session-bind in particular
are designed to degrade gracefully. I.e. it should be fine to issue a
session-bind request without probing the agent first; indeed this is
what OpenSSH's ssh client does unconditionally when opening an agent
socket for authentication or forwarding.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.