[Bug 3967] New: ssh-agent: extra response message after "query" EXTENSION request

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Fri Jun 12 16:09:08 AEST 2026


https://bugzilla.mindrot.org/show_bug.cgi?id=3967

            Bug ID: 3967
           Summary: ssh-agent: extra response message after "query"
                    EXTENSION request
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh-agent
          Assignee: unassigned-bugs at mindrot.org
          Reporter: m at the13thletter.info

Created attachment 3962
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3962&action=edit
Shell session transcript of netcat and ssh-agent

When answering a "query" `EXTENSION` message on its communication
socket, ssh-agent responds twice: once with the expected
`EXTENSION_RESPONSE` message, and once more with a `SUCCESS` message
immediately after. This is likely unintentional, and equally likely a
violation of the spec, where every request message receives exactly one
response message. (Unless I'm really, severely misreading the spec.)

As a result, third-party software talking to ssh-agent on its
communication socket gets confused as to which response message belongs
to which of the requests it issued earlier. (I am the author of one
such third-party software.)

(For what it's worth, I have not yet seen the OpenSSH tools such as
`ssh-add -Q` get confused by this.)

The attached log shows a sample shell session with netcat, issuing
calls to the agent manually and hexdumping the results. (Developed on
Linux, but should run unchanged on OpenBSD, as per the OpenBSD
manpages. Commentary is included.)

Observed on Linux (Debian testing/"forky", amd64), running OpenSSH
10.3p1, but likely to affect other systems as well, I presume. Related
to bug 3758, which introduced support for the "query" `EXTENSION`
message in the first place.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list