[openssh-commits] [openssh] 02/03: upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now

git+noreply at mindrot.org git+noreply at mindrot.org
Thu Mar 5 16:45:34 AEDT 2026 

This is an automated email from the git hooks/post-receive script.

djm pushed a commit to branch master
in repository openssh.

commit 4fe278629c3f792628ea71132ba4fcbb9ceaa6b7
Author: djm at openbsd.org <djm at openbsd.org>
AuthorDate: Thu Mar 5 05:40:35 2026 +0000

    upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now
    
    allocated, it's safe to start using the standard names for requesting agent
    forwarding over the @openssh.com extension names we've used to date.
    
    Support for the standard names is advertised via EXT_INFO. When the
    client sees such support it will use the new names preferentially,
    but the existing names remain supported unconditionally.
    
    ok markus@
    
    OpenBSD-Commit-ID: 1ab4a0b4de01e81a432875c2b7e5f7357e231af3
---
 channels.c   |  8 +++++---
 channels.h   |  8 ++++++--
 clientloop.c | 19 +++++++++++++++++--
 kex.c        | 12 ++++++++++--
 kex.h        |  3 ++-
 mux.c        | 10 +++-------
 session.c    | 20 +++++++++++---------
 ssh.c        | 11 +++--------
 8 files changed, 57 insertions(+), 34 deletions(-)

diff --git a/channels.c b/channels.c
index 11c2b5c19..e36c3bbf8 100644
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.456 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.457 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1190,7 +1190,8 @@ channel_send_open(struct ssh *ssh, int id)
 }
 
 void
-channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
+channel_request_start(struct ssh *ssh, int id, const char *service,
+    int wantconfirm)
 {
 	Channel *c = channel_lookup(ssh, id);
 	int r;
@@ -2096,7 +2097,8 @@ channel_post_auth_listener(struct ssh *ssh, Channel *c)
 	    SSH_CHANNEL_OPENING, newsock, newsock, -1,
 	    c->local_window_max, c->local_maxpacket,
 	    0, "accepted auth socket", 1);
-	open_preamble(ssh, __func__, nc, "auth-agent at openssh.com");
+	open_preamble(ssh, __func__, nc,
+	    c->agent_new ? "agent-connect" : "auth-agent at openssh.com");
 	if ((r = sshpkt_send(ssh)) != 0)
 		fatal_fr(r, "channel %i", c->self);
 }
diff --git a/channels.h b/channels.h
index ce9224c0e..2fcf9f8cb 100644
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.163 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.164 2026/03/05 05:40:35 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
@@ -181,6 +181,7 @@ struct Channel {
 	u_int	local_consumed;
 	u_int	local_maxpacket;
 	int     extended_usage;
+	int	agent_new;	/* For agent listeners, use RFC XXX reqests */
 	int	single_connection;
 
 	char   *ctype;		/* const type - NB. not freed on channel_free */
@@ -304,7 +305,7 @@ void	 channel_force_close(struct ssh *, Channel *, int);
 void	 channel_set_xtype(struct ssh *, int, const char *);
 
 void	 channel_send_open(struct ssh *, int);
-void	 channel_request_start(struct ssh *, int, char *, int);
+void	 channel_request_start(struct ssh *, int, const char *, int);
 void	 channel_register_cleanup(struct ssh *, int,
 	    channel_callback_fn *, int);
 void	 channel_register_open_confirm(struct ssh *, int,
@@ -399,6 +400,9 @@ int      x11_channel_used_recently(struct ssh *ssh);
 int	 chan_is_dead(struct ssh *, Channel *, int);
 void	 chan_mark_dead(struct ssh *, Channel *);
 
+/* agent forwarding */
+void	 client_channel_reqest_agent_forwarding(struct ssh *, int);
+
 /* channel events */
 
 void	 chan_rcvd_oclose(struct ssh *, Channel *);
diff --git a/clientloop.c b/clientloop.c
index 11a7f4648..6a0e7b6b8 100644
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.421 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.422 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -1939,7 +1939,8 @@ client_input_channel_open(int type, uint32_t seq, struct ssh *ssh)
 		c = client_request_forwarded_streamlocal(ssh, ctype, rchan);
 	} else if (strcmp(ctype, "x11") == 0) {
 		c = client_request_x11(ssh, ctype, rchan);
-	} else if (strcmp(ctype, "auth-agent at openssh.com") == 0) {
+	} else if (strcmp(ctype, "auth-agent at openssh.com") == 0 ||
+	    strcmp(ctype, "agent-connect") == 0) {
 		c = client_request_agent(ssh, ctype, rchan);
 	}
 	if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) {
@@ -2813,6 +2814,20 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
 	client_repledge();
 }
 
+void
+client_channel_reqest_agent_forwarding(struct ssh *ssh, int id)
+{
+	const char *req = "auth-agent-req at openssh.com";
+	int r;
+
+	if (ssh->kex != NULL && (ssh->kex->flags & KEX_HAS_NEWAGENT) != 0)
+		req = "agent-req"; /* XXX RFC XXX */
+	debug("Requesting agent forwarding on channel %d via %s", id, req);
+	channel_request_start(ssh, id, req, 0);
+	if ((r = sshpkt_send(ssh)) != 0)
+		fatal_fr(r, "send");
+}
+
 static void
 client_init_dispatch(struct ssh *ssh)
 {
diff --git a/kex.c b/kex.c
index 284f9febc..85b112c75 100644
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.192 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.193 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -297,13 +297,15 @@ kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
 	if (ssh->kex->server_sig_algs == NULL &&
 	    (ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
 		return SSH_ERR_ALLOC_FAIL;
-	if ((r = sshbuf_put_u32(m, 3)) != 0 ||
+	if ((r = sshbuf_put_u32(m, 4)) != 0 ||
 	    (r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
 	    (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
 	    (r = sshbuf_put_cstring(m,
 	    "publickey-hostbound at openssh.com")) != 0 ||
 	    (r = sshbuf_put_cstring(m, "0")) != 0 ||
 	    (r = sshbuf_put_cstring(m, "ping at openssh.com")) != 0 ||
+	    (r = sshbuf_put_cstring(m, "0")) != 0 ||
+	    (r = sshbuf_put_cstring(m, "agent-forward")) != 0 ||
 	    (r = sshbuf_put_cstring(m, "0")) != 0) {
 		error_fr(r, "compose");
 		return r;
@@ -447,6 +449,12 @@ kex_ext_info_client_parse(struct ssh *ssh, const char *name,
 		    "0", KEX_HAS_PING)) != 0) {
 			return r;
 		}
+	} else if (ssh->kex->ext_info_received == 1 &&
+	    strcmp(name, "agent-forward") == 0) {
+		if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen,
+		    "0", KEX_HAS_NEWAGENT)) != 0) {
+			return r;
+		}
 	} else
 		debug_f("%s (unrecognised)", name);
 
diff --git a/kex.h b/kex.h
index 011b92ff8..4f6d92164 100644
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.128 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: kex.h,v 1.129 2026/03/05 05:40:36 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -114,6 +114,7 @@ enum kex_exchange {
 #define KEX_RSA_SHA2_512_SUPPORTED	0x0010 /* only set in server for now */
 #define KEX_HAS_PING			0x0020
 #define KEX_HAS_EXT_INFO_IN_AUTH	0x0040
+#define KEX_HAS_NEWAGENT		0x0080 /* only set in client */
 
 /* kex->pq */
 #define KEX_NOT_PQ			0
diff --git a/mux.c b/mux.c
index 9cf3e7815..5e20c7760 100644
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.111 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: mux.c,v 1.112 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm at openbsd.org>
  *
@@ -1435,12 +1435,8 @@ mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
 		}
 	}
 
-	if (cctx->want_agent_fwd && options.forward_agent) {
-		debug("Requesting authentication agent forwarding.");
-		channel_request_start(ssh, id, "auth-agent-req at openssh.com", 0);
-		if ((r = sshpkt_send(ssh)) != 0)
-			fatal_fr(r, "send");
-	}
+	if (cctx->want_agent_fwd && options.forward_agent)
+		client_channel_reqest_agent_forwarding(ssh, id);
 
 	client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
 	    cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);
diff --git a/session.c b/session.c
index 227881ec9..93de35d7c 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.347 2026/02/08 15:28:01 dtucker Exp $ */
+/* $OpenBSD: session.c,v 1.348 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -183,7 +183,7 @@ auth_sock_cleanup_proc(struct passwd *pw)
 }
 
 static int
-auth_input_request_forwarding(struct ssh *ssh, struct passwd * pw)
+auth_input_request_forwarding(struct ssh *ssh, struct passwd *pw, int agent_new)
 {
 	Channel *nc;
 	int sock = -1;
@@ -211,6 +211,7 @@ auth_input_request_forwarding(struct ssh *ssh, struct passwd * pw)
 	    CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
 	    0, "auth socket", 1);
 	nc->path = xstrdup(auth_sock_name);
+	nc->agent_new = agent_new;
 	return 1;
 
  authsock_err:
@@ -2131,7 +2132,7 @@ session_signal_req(struct ssh *ssh, Session *s)
 }
 
 static int
-session_auth_agent_req(struct ssh *ssh, Session *s)
+session_auth_agent_req(struct ssh *ssh, Session *s, int agent_new)
 {
 	static int called = 0;
 	int r;
@@ -2144,12 +2145,11 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
 		debug_f("agent forwarding disabled");
 		return 0;
 	}
-	if (called) {
+	if (called)
 		return 0;
-	} else {
-		called = 1;
-		return auth_input_request_forwarding(ssh, s->pw);
-	}
+
+	called = 1;
+	return auth_input_request_forwarding(ssh, s->pw, agent_new);
 }
 
 int
@@ -2178,7 +2178,9 @@ session_input_channel_req(struct ssh *ssh, Channel *c, const char *rtype)
 		} else if (strcmp(rtype, "x11-req") == 0) {
 			success = session_x11_req(ssh, s);
 		} else if (strcmp(rtype, "auth-agent-req at openssh.com") == 0) {
-			success = session_auth_agent_req(ssh, s);
+			success = session_auth_agent_req(ssh, s, 0);
+		} else if (strcmp(rtype, "agent-req") == 0) {
+			success = session_auth_agent_req(ssh, s, 1);
 		} else if (strcmp(rtype, "subsystem") == 0) {
 			success = session_subsystem_req(ssh, s);
 		} else if (strcmp(rtype, "env") == 0) {
diff --git a/ssh.c b/ssh.c
index cb8651bce..9d8fb0a83 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.627 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.628 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo at cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo at cs.hut.fi>, Espoo, Finland
@@ -2194,7 +2194,6 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg)
 {
 	extern char **environ;
 	const char *display, *term;
-	int r;
 	char *proto = NULL, *data = NULL;
 
 	if (!success)
@@ -2216,12 +2215,8 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg)
 	}
 
 	check_agent_present();
-	if (options.forward_agent) {
-		debug("Requesting authentication agent forwarding.");
-		channel_request_start(ssh, id, "auth-agent-req at openssh.com", 0);
-		if ((r = sshpkt_send(ssh)) != 0)
-			fatal_fr(r, "send packet");
-	}
+	if (options.forward_agent)
+		client_channel_reqest_agent_forwarding(ssh, id);
 
 	if ((term = lookup_env_in_list("TERM", options.setenv,
 	    options.num_setenv)) == NULL || *term == '\0')

-- 
To stop receiving notification emails like this one, please contact
djm at mindrot.org.

More information about the openssh-commits mailing list