Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Bugs
[Bug 3597] Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled?
bugzilla-daemon at mindrot
Aug 1, 2023, 7:15 PM
Post #1 of 3 (101 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3597

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
CC| |djm@mindrot.org

--- Comment #1 from Damien Miller <djm@mindrot.org> ---
remote_add_provider indicates whether the user has allowed remote
ssh-agent clients to add PKCS#11 providers.

e->nsession_ids>0 indicates that a session is actually remote. A local
session will have e->nsession_ids=0.

See process_ext_session_bind() in ssh-agent.c and the corresponding
authfd.c:ssh_agent_bind_hostkey() code that is called from ssh's
clientloop.c:client_request_agent().

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3597] Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled? [ In reply to ]
bugzilla-daemon at mindrot
Aug 2, 2023, 1:33 AM
Post #2 of 3 (101 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3597

--- Comment #2 from renmingshuai <rmsh1216@163.com> ---
(In reply to Damien Miller from comment #1)
> remote_add_provider indicates whether the user has allowed remote
> ssh-agent clients to add PKCS#11 providers.
>
> e->nsession_ids>0 indicates that a session is actually remote. A
> local session will have e->nsession_ids=0.
>
> See process_ext_session_bind() in ssh-agent.c and the corresponding
> authfd.c:ssh_agent_bind_hostkey() code that is called from ssh's
> clientloop.c:client_request_agent().

Thanks, I get it.
Besides, e->nsession_ids was introduced in openssh-8.9p1. For lower
version, before openssh-8.9p1, only checking the value of
remote_add_provider is stricter, although it may cause some problems
else.

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3597] Why do we check both nsession_ids and remote_add_provider when judging whether allow remote addition of FIDO/PKCS11 provider libraries is disabled? [ In reply to ]
bugzilla-daemon at mindrot
Aug 2, 2023, 3:00 PM
Post #3 of 3 (101 views)
Permalink
https://bugzilla.mindrot.org/show_bug.cgi?id=3597

--- Comment #3 from Damien Miller <djm@mindrot.org> ---
> For lower version, before openssh-8.9p1, only checking the
> value of remote_add_provider is stricter, although it may
> cause some problems else.

That won't work. Older versions have no way of telling whether a socket
is local or remote, so testing remote_add_provider alone would simply
ban all PKCS#11 loading.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal