[Bug 3758] New: ssh-agent: standard "query" extension not supported
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Wed Nov 27 21:51:46 AEDT 2024
https://bugzilla.mindrot.org/show_bug.cgi?id=3758
Bug ID: 3758
Summary: ssh-agent: standard "query" extension not supported
Product: Portable OpenSSH
Version: 9.9p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: m at the13thletter.info
The SSH agent spec draft-ietf-sshm-ssh-agent defines an extension
mechanism to "[allow] vendor-specific and experimental messages to be
sent via the agent protocol". ssh-agent itself offers a message of type
"session-bind at openssh.com", however it does not support the standard
"query" extension from Section 3.8.1 of the spec. (Issuing a "query"
SSH_AGENTC_EXTENSION call to the agent results in an SSH_AGENT_FAILURE.
This is the case in 9.9p1, and appears to have been the case ever since
introduction of "session-bind at openssh.com" in 8.9p1.)
This leads to the unfortunate situation that one cannot discover
support of the "session-bind at openssh.com" extension straightforwardly
by querying the agent, only by more roundabout means such as issuing
the message and observing the success or failure of the call, or
inferring support for "session-bind at openssh.com" from the lack of
support for the "query" message.
My use case: connecting to a running SSH agent -- in a non-SSH context
and with a third-party tool -- and checking whether it is OpenSSH's
ssh-agent, or PuTTY's Pageant, via the reported list of supported
extensions. This is used to infer whether the agent supports RFC 6979
(Pageant) or not (OpenSSH). Querying the supported extensions seems to
me to be the "most correct" way.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list