[Bug 3597] Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Aug 2 18:33:46 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3597

--- Comment #2 from renmingshuai <rmsh1216 at 163.com> ---
(In reply to Damien Miller from comment #1)
> remote_add_provider indicates whether the user has allowed remote
> ssh-agent clients to add PKCS#11 providers.
> 
> e->nsession_ids>0 indicates that a session is actually remote. A
> local session will have e->nsession_ids=0.
> 
> See process_ext_session_bind() in ssh-agent.c and the corresponding
> authfd.c:ssh_agent_bind_hostkey() code that is called from ssh's
> clientloop.c:client_request_agent().

Thanks, I get it.
Besides, e->nsession_ids was introduced in openssh-8.9p1. For lower
version, before openssh-8.9p1, only checking the value of
remote_add_provider is stricter, although it may cause some problems
else.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list