From b02ad1ce9105bfa7394ac7590c0729dd52e26a81 Mon Sep 17 00:00:00 2001 From: "markus@openbsd.org" Date: Wed, 4 May 2016 12:21:53 +0000 Subject: [PATCH] upstream commit IdentityAgent for specifying specific agent sockets; ok djm@ Upstream-ID: 3e6a15eb89ea0fd406f108826b7dc7dec4fbfac1 --- readconf.c | 11 +++++++++-- readconf.h | 3 ++- ssh.1 | 5 +++-- ssh.c | 18 +++++++++++++++++- ssh_config.5 | 29 +++++++++++++++++++++++++++-- 5 files changed, 58 insertions(+), 8 deletions(-) diff --git a/readconf.c b/readconf.c index b348c9683..26436b3ac 100644 --- a/readconf.c +++ b/readconf.c @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.c,v 1.252 2016/04/15 00:30:19 djm Exp $ */ +/* $OpenBSD: readconf.c,v 1.253 2016/05/04 12:21:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -147,7 +147,7 @@ typedef enum { oPasswordAuthentication, oRSAAuthentication, oChallengeResponseAuthentication, oXAuthLocation, oIdentityFile, oHostName, oPort, oCipher, oRemoteForward, oLocalForward, - oCertificateFile, oAddKeysToAgent, + oCertificateFile, oAddKeysToAgent, oIdentityAgent, oUser, oEscapeChar, oRhostsRSAAuthentication, oProxyCommand, oGlobalKnownHostsFile, oUserKnownHostsFile, oConnectionAttempts, oBatchMode, oCheckHostIP, oStrictHostKeyChecking, oCompression, @@ -217,6 +217,7 @@ static struct { { "identitiesonly", oIdentitiesOnly }, { "certificatefile", oCertificateFile }, { "addkeystoagent", oAddKeysToAgent }, + { "identityagent", oIdentityAgent }, { "hostname", oHostName }, { "hostkeyalias", oHostKeyAlias }, { "proxycommand", oProxyCommand }, @@ -1636,6 +1637,10 @@ parse_keytypes: multistate_ptr = multistate_yesnoaskconfirm; goto parse_multistate; + case oIdentityAgent: + charptr = &options->identity_agent; + goto parse_string; + case oDeprecated: debug("%s line %d: Deprecated option \"%s\"", filename, linenum, keyword); @@ -1814,6 +1819,7 @@ initialize_options(Options * options) options->local_command = NULL; options->permit_local_command = -1; options->add_keys_to_agent = -1; + options->identity_agent = NULL; options->visual_host_key = -1; options->ip_qos_interactive = -1; options->ip_qos_bulk = -1; @@ -2463,6 +2469,7 @@ dump_client_config(Options *o, const char *host) dump_cfg_string(oHostKeyAlgorithms, o->hostkeyalgorithms); dump_cfg_string(oHostKeyAlias, o->host_key_alias); dump_cfg_string(oHostbasedKeyTypes, o->hostbased_key_types); + dump_cfg_string(oIdentityAgent, o->identity_agent); dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices); dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX); dump_cfg_string(oLocalCommand, o->local_command); diff --git a/readconf.h b/readconf.h index 5f4451066..f0e498ea2 100644 --- a/readconf.h +++ b/readconf.h @@ -1,4 +1,4 @@ -/* $OpenBSD: readconf.h,v 1.114 2016/04/15 00:30:19 djm Exp $ */ +/* $OpenBSD: readconf.h,v 1.115 2016/05/04 12:21:53 markus Exp $ */ /* * Author: Tatu Ylonen @@ -101,6 +101,7 @@ typedef struct { struct sshkey *certificates[SSH_MAX_CERTIFICATE_FILES]; int add_keys_to_agent; + char *identity_agent; /* Optional path to ssh-agent socket */ /* Local TCP/IP forward requests. */ int num_local_forwards; diff --git a/ssh.1 b/ssh.1 index 85309ecc4..9ed5a5662 100644 --- a/ssh.1 +++ b/ssh.1 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.370 2016/04/15 00:30:19 djm Exp $ -.Dd $Mdocdate: April 15 2016 $ +.\" $OpenBSD: ssh.1,v 1.371 2016/05/04 12:21:53 markus Exp $ +.Dd $Mdocdate: May 4 2016 $ .Dt SSH 1 .Os .Sh NAME @@ -501,6 +501,7 @@ For full details of the options listed below, and their possible values, see .It HostKeyAlgorithms .It HostKeyAlias .It HostName +.It IdentityAgent .It IdentityFile .It IdentitiesOnly .It Include diff --git a/ssh.c b/ssh.c index a881ba14c..ea52bbf5d 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.438 2016/04/29 08:07:53 djm Exp $ */ +/* $OpenBSD: ssh.c,v 1.439 2016/05/04 12:21:53 markus Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -1335,6 +1335,22 @@ main(int ac, char **av) /* load options.identity_files */ load_public_identity_files(); + /* optionally set the SSH_AUTHSOCKET_ENV_NAME varibale */ + if (options.identity_agent) { + if (strcmp(options.identity_agent, "none") == 0) { + unsetenv(SSH_AUTHSOCKET_ENV_NAME); + } else { + p = tilde_expand_filename(options.identity_agent, + original_real_uid); + cp = percent_expand(p, "d", pw->pw_dir, + "u", pw->pw_name, "l", thishost, "h", host, + "r", options.user, (char *)NULL); + setenv(SSH_AUTHSOCKET_ENV_NAME, cp, 1); + free(cp); + free(p); + } + } + /* Expand ~ in known host file names. */ tilde_expand_paths(options.system_hostfiles, options.num_system_hostfiles); diff --git a/ssh_config.5 b/ssh_config.5 index 10650e1bc..be790114a 100644 --- a/ssh_config.5 +++ b/ssh_config.5 @@ -33,8 +33,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh_config.5,v 1.230 2016/04/17 14:34:46 jmc Exp $ -.Dd $Mdocdate: April 17 2016 $ +.\" $OpenBSD: ssh_config.5,v 1.231 2016/05/04 12:21:53 markus Exp $ +.Dd $Mdocdate: May 4 2016 $ .Dt SSH_CONFIG 5 .Os .Sh NAME @@ -952,6 +952,31 @@ This option is intended for situations where ssh-agent offers many different identities. The default is .Dq no . +.It Cm IdentityAgent +Specifies the +.Ux Ns -domain +socket used to communicate with the authentication agent. +.Pp +This option overrides the +.Dq SSH_AUTH_SOCK +environment variable and can be used to select a specific agent. +Setting the socket name to +.Dq none +disables the use of an authentication agent. +.Pp +The socket name may use the tilde +syntax to refer to a user's home directory or one of the following +escape characters: +.Ql %d +(local user's home directory), +.Ql %u +(local user name), +.Ql %l +(local host name), +.Ql %h +(remote host name) or +.Ql %r +(remote user name). .It Cm IdentityFile Specifies a file from which the user's DSA, ECDSA, Ed25519 or RSA authentication identity is read.