[Bug 1499] Add "ForwardAgent ask" to ssh_config

Tue Sep 1 04:45:24 EST 2009

https://bugzilla.mindrot.org/show_bug.cgi?id=1499

Josh Triplett <josh at freedesktop.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |josh at freedesktop.org

--- Comment #2 from Josh Triplett <josh at freedesktop.org> 2009-09-01 04:45:22 EST ---
This seems fairly straightforward to implement:

1) Add a new flag to SSH2_AGENTC_SIGN_REQUEST, SSH_AGENT_NONLOCAL.

2) Add a new key constraint flag, SSH_AGENT_CONSTRAIN_CONFIRM_NONLOCAL.
 (Either as a separate flag, or by defining a two-bit field including
SSH_AGENT_CONSTRAIN_CONFIRM and this; doing the latter would allow a
fourth constraint possibility rather than the useless combination of
the two.)

3) If the connection has "ForwardAgent ask" (or some other sensible
configuration option) set, the local SSH will proxy the agent protocol
and add SSH_AGENT_NONLOCAL to all SSH2_AGENTC_SIGN_REQUEST messages.

4) The SSH agent, given a key with SSH_AGENT_CONSTRAIN_CONFIRM_NONLOCAL
set, will prompt iff the SSH_AGENT_NONLOCAL flag appears.

Note that this approach covers SSH2 key operations only.  Adding
support for SSH1 key operations would require a new protocol message,
since SSH_AGENTC_RSA_CHALLENGE has no flags field to extend.  This
doesn't seem necessary, though; just don't forward agents to hosts you
need SSH1 keys to log into.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.