[RFC][PATCH v2] Support a list of sockets on SSH_AUTH_SOCK

Nico Kadel-Garcia nkadel at gmail.com
Sat Sep 26 22:24:05 AEST 2015


On Fri, Sep 25, 2015 at 9:41 PM, Fabiano Fidêncio <fidencio at redhat.com> wrote:
> The idea behind this change is to add support for different "ssh-agents"
> being able to run at the same time. It does not change the current
> behaviour of the ssh-agent (which will set SSH_AUTH_SOCK just for
> itself). Neither does it change the behaviour of SSH_AGENT_PID (which
> still supports only one pid).

Conceptually, it seems reasonable. But I'd recommend being very, very
careful with environment parsing between multiple old and new versions
of client, agent, and server..

As a purely practical and local approach, I personally tend to use
multiple perl "keychain" tool commands.

             # keycain       # Leaves sourceable ssh-agent config in
$HOME/.keychain/$HOSTNAME.sh
             # HOSTNAME=github keychain     # Leaves sourceable
ssh-agent config in $HOME/.keychin/github.sh
             # HOSTNAME=work keychain     # Leaves sourceable
ssh-agent config for work keys in $HOME/.keychain/work.sh

Then I can source and enable keys for the keychain as desired, and
switch among them. It's not perfect, but it lets me switch from one
keychain to the other for work related github keys, personal github
keys, root keys, personal keys, etc. and only have the relevant ones
in a particular shell session.


> The new implementation will go through the list of sockets (which are
> separated by a colon (:)), and will return the very first functional
> one. An example of the new supported syntax is:
> SSH_AUTH_SOCK=/run/user/1000/spice/ssh:/tmp/ssh-hHomdONwQus6/agent.6907
>
> The idea has been discussed a little in this e-mail thread:
> http://lists.mindrot.org/pipermail/openssh-unix-dev/2015-September/034381.html
>
> Signed-off-by: Fabiano Fidêncio <fidencio at redhat.com>
> ---
> Changes since v1:
> - Fix a typo in the commit (SSH_AUTH_SOCKET -> SSH_AUTH_SOCK)
> ---
>  authfd.c | 40 ++++++++++++++++++++++++++++------------
>  1 file changed, 28 insertions(+), 12 deletions(-)
>
> diff --git a/authfd.c b/authfd.c
> index 12bf125..20fcba2 100644
> --- a/authfd.c
> +++ b/authfd.c
> @@ -83,21 +83,12 @@ decode_reply(u_char type)
>                 return SSH_ERR_INVALID_FORMAT;
>  }
>
> -/* Returns the number of the authentication fd, or -1 if there is none. */
> -int
> -ssh_get_authentication_socket(int *fdp)
> +static int
> +get_authentication_socket(const char *authsocket, int *fdp)
>  {
> -       const char *authsocket;
>         int sock, oerrno;
>         struct sockaddr_un sunaddr;
>
> -       if (fdp != NULL)
> -               *fdp = -1;
> -
> -       authsocket = getenv(SSH_AUTHSOCKET_ENV_NAME);
> -       if (!authsocket)
> -               return SSH_ERR_AGENT_NOT_PRESENT;
> -
>         memset(&sunaddr, 0, sizeof(sunaddr));
>         sunaddr.sun_family = AF_UNIX;
>         strlcpy(sunaddr.sun_path, authsocket, sizeof(sunaddr.sun_path));
> @@ -117,7 +108,32 @@ ssh_get_authentication_socket(int *fdp)
>                 *fdp = sock;
>         else
>                 close(sock);
> -       return 0;
> +       return SSH_ERR_SUCCESS;
> +}
> +
> +/* Returns the number of the authentication fd, or -1 if there is none. */
> +int
> +ssh_get_authentication_socket(int *fdp)
> +{
> +       const char *authsocketlist;
> +       const char *authsocket;
> +       int rc;
> +
> +       if (fdp != NULL)
> +               *fdp = -1;
> +
> +       authsocketlist = getenv(SSH_AUTHSOCKET_ENV_NAME);
> +       if (!authsocketlist)
> +               return SSH_ERR_AGENT_NOT_PRESENT;
> +
> +       authsocket = strtok((char *)authsocketlist, ":");
> +
> +       do {
> +               rc = get_authentication_socket(authsocket, fdp);
> +               authsocket = strtok(NULL, ":");
> +       } while (rc != SSH_ERR_SUCCESS && authsocket != NULL);
> +
> +       return rc;
>  }
>
>  /* Communicate with agent: send request and read reply */
> --
> 2.4.3
>
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list