[Bug 3967] New: ssh-agent: extra response message after "query" EXTENSION request
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Jun 12 16:09:08 AEST 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3967
Bug ID: 3967
Summary: ssh-agent: extra response message after "query"
EXTENSION request
Product: Portable OpenSSH
Version: 10.3p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh-agent
Assignee: unassigned-bugs at mindrot.org
Reporter: m at the13thletter.info
Created attachment 3962
--> https://bugzilla.mindrot.org/attachment.cgi?id=3962&action=edit
Shell session transcript of netcat and ssh-agent
When answering a "query" `EXTENSION` message on its communication
socket, ssh-agent responds twice: once with the expected
`EXTENSION_RESPONSE` message, and once more with a `SUCCESS` message
immediately after. This is likely unintentional, and equally likely a
violation of the spec, where every request message receives exactly one
response message. (Unless I'm really, severely misreading the spec.)
As a result, third-party software talking to ssh-agent on its
communication socket gets confused as to which response message belongs
to which of the requests it issued earlier. (I am the author of one
such third-party software.)
(For what it's worth, I have not yet seen the OpenSSH tools such as
`ssh-add -Q` get confused by this.)
The attached log shows a sample shell session with netcat, issuing
calls to the agent manually and hexdumping the results. (Developed on
Linux, but should run unchanged on OpenBSD, as per the OpenBSD
manpages. Commentary is included.)
Observed on Linux (Debian testing/"forky", amd64), running OpenSSH
10.3p1, but likely to affect other systems as well, I presume. Related
to bug 3758, which introduced support for the "query" `EXTENSION`
message in the first place.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list