This adds support for systemd socket-based activation in the ssh-agent. When using socket activation, the -a flag value must match the socket path provided by systemd, as a sanity check. Support for this feature is enabled by the --with-systemd configure flag. --- Something tells me upstream would not be interested in this patch, but as it may be useful on linux, I'm submitting it here. Makefile.in | 3 ++- configure.ac | 25 ++++++++++++++++++++++++ ssh-agent.c | 54 +++++++++++++++++++++++++++++++++++++++++++--------- 3 files changed, 72 insertions(+), 10 deletions(-) diff --git a/Makefile.in b/Makefile.in index 70287f51fb81..9bace646fecf 100644 --- a/Makefile.in +++ b/Makefile.in @@ -53,6 +53,7 @@ CHANNELLIBS=@CHANNELLIBS@ K5LIBS=@K5LIBS@ GSSLIBS=@GSSLIBS@ SSHDLIBS=@SSHDLIBS@ +AGENTLIBS=@AGENTLIBS@ LIBEDIT=@LIBEDIT@ LIBFIDO2=@LIBFIDO2@ AR=@AR@ @@ -216,7 +217,7 @@ ssh-add$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHADD_OBJS) $(LD) -o $@ $(SSHADD_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CHANNELLIBS) ssh-agent$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHAGENT_OBJS) - $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CHANNELLIBS) + $(LD) -o $@ $(SSHAGENT_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(AGENTLIBS) $(LIBS) $(CHANNELLIBS) ssh-keygen$(EXEEXT): $(LIBCOMPAT) libssh.a $(SSHKEYGEN_OBJS) $(LD) -o $@ $(SSHKEYGEN_OBJS) $(LDFLAGS) -lssh -lopenbsd-compat $(LIBS) $(CHANNELLIBS) diff --git a/configure.ac b/configure.ac index 07893e870659..d12b6e9c0588 100644 --- a/configure.ac +++ b/configure.ac @@ -147,6 +147,16 @@ else AC_MSG_RESULT([no]) fi +systemd=no +AC_ARG_WITH([systemd], + [ --with-systemd Enable use of systemd socket-based activation ], + [ if test "x$withval" = "xyes" ; then + systemd=yes + AC_DEFINE([WITH_SYSTEMD], [1], [enable systemd socket-based activation]) + fi + ] +) + use_stack_protector=1 use_toolchain_hardening=1 AC_ARG_WITH([stackprotect], @@ -3376,6 +3386,18 @@ AC_CHECK_LIB([crypt], [crypt], [ AC_CHECK_FUNCS([crypt]) LIBS="$saved_LIBS" +if test "x$systemd" == "xyes" ; then + # Check for sd_listen_fds in libsystemd for socket activation + saved_LIBS="$LIBS" + AC_CHECK_LIB([systemd], [sd_listen_fds], [ + LIBS="-lsystemd $LIBS" + AGENTLIBS="-lsystemd $AGENTLIBS" + ]) + AC_CHECK_FUNCS([sd_listen_fds]) + LIBS="$saved_LIBS" + AC_SUBST([AGENTLIBS]) +fi + # Check for PAM libs PAM_MSG="no" AC_ARG_WITH([pam], @@ -5632,6 +5654,9 @@ fi if test ! -z "${SSHDLIBS}"; then echo " +for sshd: ${SSHDLIBS}" fi +if test ! -z "${AGENTLIBS}"; then +echo " +for ssh-agent: ${AGENTLIBS}" +fi echo "" diff --git a/ssh-agent.c b/ssh-agent.c index c72518ba3537..eb3a8b022590 100644 --- a/ssh-agent.c +++ b/ssh-agent.c @@ -69,6 +69,9 @@ #include <stdlib.h> #include <time.h> #include <string.h> +#ifdef WITH_SYSTEMD +# include <systemd/sd-daemon.h> +#endif #include <unistd.h> #ifdef HAVE_UTIL_H # include <util.h> @@ -166,6 +169,11 @@ pid_t cleanup_pid = 0; char socket_name[PATH_MAX]; char socket_dir[PATH_MAX]; +#ifdef WITH_SYSTEMD +/* tracks whether the active AUTH_SOCKET was passed to us by a third party */ +int external_socket = 0; +#endif + /* Pattern-list of allowed PKCS#11/Security key paths */ static char *allowed_providers; @@ -1946,6 +1954,10 @@ cleanup_socket(void) { if (cleanup_pid != 0 && getpid() != cleanup_pid) return; +#ifdef WITH_SYSTEMD + if (external_socket) + return; +#endif debug_f("cleanup"); if (socket_name[0]) unlink(socket_name); @@ -2000,7 +2012,7 @@ int main(int ac, char **av) { int c_flag = 0, d_flag = 0, D_flag = 0, k_flag = 0, s_flag = 0; - int sock, ch, result, saved_errno; + int sock = 0, ch, result, saved_errno; char *shell, *format, *pidstr, *agentsocket = NULL; #ifdef HAVE_SETRLIMIT struct rlimit rlim; @@ -2015,6 +2027,9 @@ main(int ac, char **av) struct pollfd *pfd = NULL; size_t npfd = 0; u_int maxfds; +#ifdef WITH_SYSTEMD + int nfds = 0; +#endif /* Ensure that fds 0, 1 and 2 are open or directed to /dev/null */ sanitise_stdfd(); @@ -2142,6 +2157,25 @@ main(int ac, char **av) parent_pid = getpid(); +#ifdef WITH_SYSTEMD + nfds = sd_listen_fds(1); + if (nfds > 0) { + sock = SD_LISTEN_FDS_START; + if (agentsocket == NULL) { + fprintf(stderr, "%s not set, cannot use socket-activation", + SSH_AUTHSOCKET_ENV_NAME); + exit(1); + } else if (sd_is_socket_unix(sock, SOCK_STREAM, 1, agentsocket, 0) <= 0) { + fprintf(stderr, "Unexpected auth sock received from systemd. Expected %s\n", agentsocket); + exit(1); + } else if (nfds > 1) { + fprintf(stderr, "too many fds received from systemd (%d)\n", nfds); + exit(1); + } + strlcpy(socket_name, agentsocket, sizeof socket_name); + external_socket = 1; + } +#endif if (agentsocket == NULL) { /* Create private directory for agent socket */ mktemp_proto(socket_dir, sizeof(socket_dir)); @@ -2150,7 +2184,7 @@ main(int ac, char **av) exit(1); } snprintf(socket_name, sizeof socket_name, "%s/agent.%ld", socket_dir, - (long)parent_pid); + (long)parent_pid); } else { /* Try to use specified agent socket */ socket_dir[0] = '\0'; @@ -2161,14 +2195,16 @@ main(int ac, char **av) * Create socket early so it will exist before command gets run from * the parent. */ - prev_mask = umask(0177); - sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0); - if (sock < 0) { - /* XXX - unix_listener() calls error() not perror() */ - *socket_name = '\0'; /* Don't unlink any existing file */ - cleanup_exit(1); + if (sock == 0) { + prev_mask = umask(0177); + sock = unix_listener(socket_name, SSH_LISTEN_BACKLOG, 0); + if (sock < 0) { + /* XXX - unix_listener() calls error() not perror() */ + *socket_name = '\0'; /* Don't unlink any existing file */ + cleanup_exit(1); + } + umask(prev_mask); } - umask(prev_mask); /* * Fork, and have the parent execute the command, if any, or present -- 2.41.0
Damien Miller
2023-Jun-20 00:20 UTC
[PATCH] ssh-agent: add systemd socket-based activation
On Fri, 16 Jun 2023, Ronan Pigott wrote:> This adds support for systemd socket-based activation in the ssh-agent. > When using socket activation, the -a flag value must match the socket > path provided by systemd, as a sanity check. Support for this feature is > enabled by the --with-systemd configure flag. > > --- > Something tells me upstream would not be interested in this patch, but > as it may be useful on linux, I'm submitting it here.yeah - unfortunately libsystemd is under the LGPL and we've tried hard to keep our license free of additional obligations. -d
June 19, 2023 5:20 PM, "Damien Miller" <djm at mindrot.org> wrote:> yeah - unfortunately libsystemd is under the LGPL and we've tried hard > to keep our license free of additional obligations. > > -dAh, I see. No worries then. It should be possible without libsystemd if somebody really wants this in the future, just need to implement the interface as described by sd_listen_fds(3). Cheers, Ronan
Reasonably Related Threads
- [libnbd PATCH v3 19/19] socket activation: set LISTEN_FDNAMES
- [Bug 1809] New: ssh-agent doesnt respect $TMPDIR
- [PATCH]: Workaround a security leak on Windows
- [PATCH] ssh-agent: add systemd socket-based activation
- [libnbd PATCH v5 3/4] generator: Add APIs to get/set the socket activation socket name