[RFC][PATCH v2] Support a list of sockets on SSH_AUTH_SOCK

Philipp Marek philipp.marek at linbit.com
Mon Sep 28 16:26:18 AEST 2015 

> > The idea behind this change is to add support for different "ssh-agents"
> > being able to run at the same time. It does not change the current
> > behaviour of the ssh-agent (which will set SSH_AUTH_SOCK just for
> > itself). Neither does it change the behaviour of SSH_AGENT_PID (which
> > still supports only one pid).
> 
> Conceptually, it seems reasonable. But I'd recommend being very, very
> careful with environment parsing between multiple old and new versions
> of client, agent, and server..

IMO having another environment variable with similar meaning is not a good 
design. In shell scripts it will be left alone, so having another ssh-agent 
active by error, and similar things.


Well, I can offer a few ideas.

One is to use the ":" separator, like in $PATH. Yes, it got discarded for 
various reasons in the other thread; yes, X11 uses that for display names, 
but observe:

    $ echo $DISPLAY
    :0
    $ ls -la /tmp/.X11-unix/X0
    srwxrwxrwx 1 root root 0 Sep 26 22:36 /tmp/.X11-unix/X0

Although the display has a ":" in it, the socket in the filesystem doesn't; 
so I guess that scripts wanting to store a SSH agent per-display (instead 
of per-user) can get that working, too.

Whitespace (with a fixed set, eg. space and tab - not any 'whitespace' 
unicode points) would be another idea, but see IFS, quoting, etc.


The second idea is to have $SSH_AUTH_SOCK point to a *directory*, and to 
use the sockets in there in ASCII alphanumeric order - so the default agent 
would register itself with as "/tmp/ssh-<random>/500-agent.8903", and other 
agents could move themselved earlier or later in the list.

The third idea is similar: keep pointing to a file, but look at all 
glob("$SSH_AUTH_SOCK*") sockets in there, in ASCII alphanumeric order 
again.


Or, the other idea from the original question - have an agent push queries 
to the "previous" agent as a fallback.


I'd prefer the last one - because it transparently works with all programs 
that know how to access *one* agent socket (like some java implementations, 
etc.), followed by 3,2, and 1, I guess - although it doesn't matter as much
with these any more.

More information about the openssh-unix-dev mailing list