[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Requesting agent forwarding

Subject: Re: Requesting agent forwarding
From: Andreas Schneider <asn@xxxxxxxxxxxxxx>
Reply-to: libssh@xxxxxxxxxx
Date: Fri, 20 Apr 2012 21:36:05 +0200
To: libssh@xxxxxxxxxx

On Friday 20 April 2012 11:18:48 you wrote:
> Andreas,

Mitchell,

> Hm, I don't think this is necessary. Windows should be able to forward
> agent just as well, shouldn't it? I thought that it just required a
> request over the channel, which caused a ssh-agent daemon to start on
> the remote end. Unix sockets vs windows sockets shouldn't change,
> should it?

If you connect with your client to the server with ssh-agent forwarding, then 
there is no ssh-agent running on the server. This would be insecure!

You talk to the ssh-agent on the client over a unix socket. If you turn on 
agent forwarding the ssh client creates a channel and all channel request go 
to the ssh-agent unix socket on the client.

On the server side the ssh server creates a unix socket and connects it with 
the ssh channel. A agent request on the server is now going to the ssh-agent 
running on the client you connected from. There is no ssh-agent process 
running on the server.

> I currently use a pure-Ruby SSH library that allows for forwarding on
> Windows, and this will be a requirement for the switch to libssh, so
> it is important that this actually works on Windows.

ssh-agent is a openssh specific implementation using unix sockets and a non-
standardized protocol. If you just want to create a channel request for agent 
forwarding that's fine, but ssh-agent stuff is unix specific. On windows I 
only know about pagent from putty. I dunno how it looks like with cygwin but 
probably it simulates unix sockets over windows ipc.

> It looks like the function I'd need to call is a file-local (static)
> function, so I can't actually call it external. The function I would
> need specifically is `channel_request`.
> 
> What functions were you thinking?

Looks like it requires much more work.

https://tools.ietf.org/html/draft-ietf-secsh-agent-02

And it looks like it is an extension like sftp. So you need to implement it 
the way as we did with sftp.

	-- andreas

-- 
Andreas Schneider                   GPG-ID: F33E3FC6
www.cryptomilk.org                asn@xxxxxxxxxxxxxx

Follow-Ups:
Re: Requesting agent forwarding	Andreas Schneider <asn@xxxxxxxxxxxxxx>

References:
Re: Requesting agent forwarding	Mitchell Hashimoto <mitchell.hashimoto@xxxxxxxxx>
Re: Requesting agent forwarding	Andreas Schneider <asn@xxxxxxxxxxxxxx>
Re: Requesting agent forwarding	Mitchell Hashimoto <mitchell.hashimoto@xxxxxxxxx>

Archive administrator: postmaster@lists.cynapses.org