[Bug 3597] New: Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Tue Aug 1 23:19:39 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3597

            Bug ID: 3597
           Summary: Why do we check both nsession_ids and
                    remote_add_provider when judging whether allow remote
                    addition of FIDO/PKCS11 provider libraries is
                    disabled?
           Product: Portable OpenSSH
           Version: -current
          Hardware: Other
                OS: Windows 10
            Status: NEW
          Severity: trivial
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: rmsh1216 at 163.com

Disallow remote addition of FIDO/PKCS11 provider libraries to ssh-agent
by default is introducted in the commit:
https://github.com/openssh/openssh-portable/commit/1f2731f5d7a8f8a8385c6031667ed29072c0d92a

In my opinion, it is unnecessary for us to check the value of
nsession_ids, because nsession_ids is used to count the number of the
connections which are opened via "session-bind at openssh.com" agent
extension. 
```
if (e->nsession_ids != 0 && !remote_add_provider) {
        verbose("failed add of SK provider \"%.100s\": "
            "remote addition of providers is disabled",
            sk_provider);
        goto out;
}
```
Please tell me the reason.
Thanks a lot.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list