[RFC][PATCH v2] Support a list of sockets on SSH_AUTH_SOCK
philipp.marek at linbit.com
Mon Sep 28 16:26:18 AEST 2015
> > The idea behind this change is to add support for different "ssh-agents"
> > being able to run at the same time. It does not change the current
> > behaviour of the ssh-agent (which will set SSH_AUTH_SOCK just for
> > itself). Neither does it change the behaviour of SSH_AGENT_PID (which
> > still supports only one pid).
> Conceptually, it seems reasonable. But I'd recommend being very, very
> careful with environment parsing between multiple old and new versions
> of client, agent, and server..
IMO having another environment variable with similar meaning is not a good
design. In shell scripts it will be left alone, so having another ssh-agent
active by error, and similar things.
Well, I can offer a few ideas.
One is to use the ":" separator, like in $PATH. Yes, it got discarded for
various reasons in the other thread; yes, X11 uses that for display names,
$ echo $DISPLAY
$ ls -la /tmp/.X11-unix/X0
srwxrwxrwx 1 root root 0 Sep 26 22:36 /tmp/.X11-unix/X0
Although the display has a ":" in it, the socket in the filesystem doesn't;
so I guess that scripts wanting to store a SSH agent per-display (instead
of per-user) can get that working, too.
Whitespace (with a fixed set, eg. space and tab - not any 'whitespace'
unicode points) would be another idea, but see IFS, quoting, etc.
The second idea is to have $SSH_AUTH_SOCK point to a *directory*, and to
use the sockets in there in ASCII alphanumeric order - so the default agent
would register itself with as "/tmp/ssh-<random>/500-agent.8903", and other
agents could move themselved earlier or later in the list.
The third idea is similar: keep pointing to a file, but look at all
glob("$SSH_AUTH_SOCK*") sockets in there, in ASCII alphanumeric order
Or, the other idea from the original question - have an agent push queries
to the "previous" agent as a fallback.
I'd prefer the last one - because it transparently works with all programs
that know how to access *one* agent socket (like some java implementations,
etc.), followed by 3,2, and 1, I guess - although it doesn't matter as much
with these any more.
More information about the openssh-unix-dev