[Bug 3758] New: ssh-agent: standard "query" extension not supported

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Nov 27 21:51:46 AEDT 2024


https://bugzilla.mindrot.org/show_bug.cgi?id=3758

            Bug ID: 3758
           Summary: ssh-agent: standard "query" extension not supported
           Product: Portable OpenSSH
           Version: 9.9p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m at the13thletter.info

The SSH agent spec draft-ietf-sshm-ssh-agent defines an extension
mechanism to "[allow] vendor-specific and experimental messages to be
sent via the agent protocol". ssh-agent itself offers a message of type
"session-bind at openssh.com", however it does not support the standard
"query" extension from Section 3.8.1 of the spec. (Issuing a "query"
SSH_AGENTC_EXTENSION call to the agent results in an SSH_AGENT_FAILURE.
This is the case in 9.9p1, and appears to have been the case ever since
introduction of "session-bind at openssh.com" in 8.9p1.)

This leads to the unfortunate situation that one cannot discover
support of the "session-bind at openssh.com" extension straightforwardly
by querying the agent, only by more roundabout means such as issuing
the message and observing the success or failure of the call, or
inferring support for "session-bind at openssh.com" from the lack of
support for the "query" message.

My use case: connecting to a running SSH agent -- in a non-SSH context
and with a third-party tool -- and checking whether it is OpenSSH's
ssh-agent, or PuTTY's Pageant, via the reported list of supported
extensions. This is used to infer whether the agent supports RFC 6979
(Pageant) or not (OpenSSH). Querying the supported extensions seems to
me to be the "most correct" way.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list