Re: Secure Shell WG: what's left?

[der Mouse <mouse%Rodents.Montreal.QC.CA@localhost>]

>> I will note that in my implementation I found I had to use private
>> requests and channel types in order to make agent forwarding work
>> right with connection sharing, and that's without any attempt at
>> backward compatability.
> Hrm; that's interesting.  If the current request and channel type are
> inadequate, maybe we need to define new ones.

My request and channel type are the same as the ones agent-02 4.1 and
4.2, except that each one has a uint32 appended to it (and they have
private names, of course).  This uint32 is an opaque cookie (opaque to
the server side, that is) that allows the client to tell which request,
and therefore which session channel, a given agent channel open attempt
corresponds to: an agent connection open packet includes the cookie
from the matching agent forwarding request packet.

Otherwise, if you have two sessions on a shared channel, both of which
have requested auth agent forwarding, the connection-sharing
multiplexer on the client side can't tell which session, and therefore
which of the multiplexer's clients, a given agent connection goes with.
(It matters if the two clients are talking with different agents.)

This does lose one capability of the stock protocol, that being agent
connection opens without corresponding agent forwarding requests.  I
don't consider this a significant loss, especially since I agree with
agent-02 that "Implementations MUST reject [auth-agent channel open]
messages unless they have previously requested agent forwarding".

I had to do similar things for X forwarding too, though in that case I
consider x11-req (as in connect-25 6.3.1) and x11 (connect-25 6.3.2)
broken enough that I don't even try to be compatible with them.  (For
agent forwarding, my code falls back to using the agent-02 mechanisms
if the other end doesn't use my fixed versions, and simply doesn't work
through connection sharing then.)

I've been told modern openssh does connection sharing - when I was at
BSDCan in May another person there showed me a manpage including an
option for it.  Does anyone here know what they do about this issue,
how they deal with the "which session does this agent channel open go
with" question?  If there's some way to do it with the stock request
and channel type, I'd very much like to know it - but I sure can't see
one; I think there simply isn't enough information.

> It'd still be nice, I think, to avoid tying the agent protocol
> version to the type of channel it runs on, if we can avoid it.

By "channel" do you mean the thing connect-25 speaks of as a channel,
or do you mean it in a more generic sense?

Either way, I don't see any such dependency in either agent-02 or my
mutated version of it.

/~\ The ASCII				der Mouse
\ / Ribbon Campaign
 X  Against HTML	       mouse%rodents.montreal.qc.ca@localhost
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B