upstream: With IANA codepoints for draft-ietf-sshm-ssh-agent now

allocated, it's safe to start using the standard names for requesting agent
forwarding over the @openssh.com extension names we've used to date.

Support for the standard names is advertised via EXT_INFO. When the
client sees such support it will use the new names preferentially,
but the existing names remain supported unconditionally.

ok markus@

OpenBSD-Commit-ID: 1ab4a0b4de01e81a432875c2b7e5f7357e231af3

diff --git a/channels.c b/channels.c
index 11c2b5c193e2a6bed6f32ac1c64739cbbcc7dc01..e36c3bbf8ff8715024a78f8df5f95fc4f104f246 100644 (file)
--- a/channels.c
+++ b/channels.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.c,v 1.456 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: channels.c,v 1.457 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1190,7 +1190,8 @@ channel_send_open(struct ssh *ssh, int id)
 }
 
 void
-channel_request_start(struct ssh *ssh, int id, char *service, int wantconfirm)
+channel_request_start(struct ssh *ssh, int id, const char *service,
+    int wantconfirm)
 {
        Channel *c = channel_lookup(ssh, id);
        int r;
@@ -2096,7 +2097,8 @@ channel_post_auth_listener(struct ssh *ssh, Channel *c)
            SSH_CHANNEL_OPENING, newsock, newsock, -1,
            c->local_window_max, c->local_maxpacket,
            0, "accepted auth socket", 1);
-       open_preamble(ssh, __func__, nc, "auth-agent@openssh.com");
+       open_preamble(ssh, __func__, nc,
+           c->agent_new ? "agent-connect" : "auth-agent@openssh.com");
        if ((r = sshpkt_send(ssh)) != 0)
                fatal_fr(r, "channel %i", c->self);
 }

diff --git a/channels.h b/channels.h
index ce9224c0e7960a722f87e9859f3b8f324bd0ef70..2fcf9f8cb72b80e6b779a599c6a56314f3a07269 100644 (file)
--- a/channels.h
+++ b/channels.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: channels.h,v 1.163 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: channels.h,v 1.164 2026/03/05 05:40:35 djm Exp $ */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -181,6 +181,7 @@ struct Channel {
        u_int   local_consumed;
        u_int   local_maxpacket;
        int     extended_usage;
+       int     agent_new;      /* For agent listeners, use RFC XXX reqests */
        int     single_connection;
 
        char   *ctype;          /* const type - NB. not freed on channel_free */
@@ -304,7 +305,7 @@ void         channel_force_close(struct ssh *, Channel *, int);
 void    channel_set_xtype(struct ssh *, int, const char *);
 
 void    channel_send_open(struct ssh *, int);
-void    channel_request_start(struct ssh *, int, char *, int);
+void    channel_request_start(struct ssh *, int, const char *, int);
 void    channel_register_cleanup(struct ssh *, int,
            channel_callback_fn *, int);
 void    channel_register_open_confirm(struct ssh *, int,
@@ -399,6 +400,9 @@ int      x11_channel_used_recently(struct ssh *ssh);
 int     chan_is_dead(struct ssh *, Channel *, int);
 void    chan_mark_dead(struct ssh *, Channel *);
 
+/* agent forwarding */
+void    client_channel_reqest_agent_forwarding(struct ssh *, int);
+
 /* channel events */
 
 void    chan_rcvd_oclose(struct ssh *, Channel *);

diff --git a/clientloop.c b/clientloop.c
index 11a7f4648752fcf874afb78fcb97bd85b6537038..6a0e7b6b82348268aab93ff46fbd97a4874f43cc 100644 (file)
--- a/clientloop.c
+++ b/clientloop.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: clientloop.c,v 1.421 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: clientloop.c,v 1.422 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -1939,7 +1939,8 @@ client_input_channel_open(int type, uint32_t seq, struct ssh *ssh)
                c = client_request_forwarded_streamlocal(ssh, ctype, rchan);
        } else if (strcmp(ctype, "x11") == 0) {
                c = client_request_x11(ssh, ctype, rchan);
-       } else if (strcmp(ctype, "auth-agent@openssh.com") == 0) {
+       } else if (strcmp(ctype, "auth-agent@openssh.com") == 0 ||
+           strcmp(ctype, "agent-connect") == 0) {
                c = client_request_agent(ssh, ctype, rchan);
        }
        if (c != NULL && c->type == SSH_CHANNEL_MUX_CLIENT) {
@@ -2813,6 +2814,20 @@ client_session2_setup(struct ssh *ssh, int id, int want_tty, int want_subsystem,
        client_repledge();
 }
 
+void
+client_channel_reqest_agent_forwarding(struct ssh *ssh, int id)
+{
+       const char *req = "auth-agent-req@openssh.com";
+       int r;
+
+       if (ssh->kex != NULL && (ssh->kex->flags & KEX_HAS_NEWAGENT) != 0)
+               req = "agent-req"; /* XXX RFC XXX */
+       debug("Requesting agent forwarding on channel %d via %s", id, req);
+       channel_request_start(ssh, id, req, 0);
+       if ((r = sshpkt_send(ssh)) != 0)
+               fatal_fr(r, "send");
+}
+
 static void
 client_init_dispatch(struct ssh *ssh)
 {

diff --git a/kex.c b/kex.c
index 284f9febc8ff47ced20b70d3bba3cd3d1aa0f8ec..85b112c75f2156bb763b446a7c92f2aa93c4b499 100644 (file)
--- a/kex.c
+++ b/kex.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.c,v 1.192 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: kex.c,v 1.193 2026/03/05 05:40:35 djm Exp $ */
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
  *
@@ -297,13 +297,15 @@ kex_compose_ext_info_server(struct ssh *ssh, struct sshbuf *m)
        if (ssh->kex->server_sig_algs == NULL &&
            (ssh->kex->server_sig_algs = sshkey_alg_list(0, 1, 1, ',')) == NULL)
                return SSH_ERR_ALLOC_FAIL;
-       if ((r = sshbuf_put_u32(m, 3)) != 0 ||
+       if ((r = sshbuf_put_u32(m, 4)) != 0 ||
            (r = sshbuf_put_cstring(m, "server-sig-algs")) != 0 ||
            (r = sshbuf_put_cstring(m, ssh->kex->server_sig_algs)) != 0 ||
            (r = sshbuf_put_cstring(m,
            "publickey-hostbound@openssh.com")) != 0 ||
            (r = sshbuf_put_cstring(m, "0")) != 0 ||
            (r = sshbuf_put_cstring(m, "ping@openssh.com")) != 0 ||
+           (r = sshbuf_put_cstring(m, "0")) != 0 ||
+           (r = sshbuf_put_cstring(m, "agent-forward")) != 0 ||
            (r = sshbuf_put_cstring(m, "0")) != 0) {
                error_fr(r, "compose");
                return r;
@@ -447,6 +449,12 @@ kex_ext_info_client_parse(struct ssh *ssh, const char *name,
                    "0", KEX_HAS_PING)) != 0) {
                        return r;
                }
+       } else if (ssh->kex->ext_info_received == 1 &&
+           strcmp(name, "agent-forward") == 0) {
+               if ((r = kex_ext_info_check_ver(ssh->kex, name, value, vlen,
+                   "0", KEX_HAS_NEWAGENT)) != 0) {
+                       return r;
+               }
        } else
                debug_f("%s (unrecognised)", name);
 

diff --git a/kex.h b/kex.h
index 011b92ff8b991f7416e6fc28abe1920893797f4b..4f6d92164c7e82b8c52791490307994e903a2054 100644 (file)
--- a/kex.h
+++ b/kex.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: kex.h,v 1.128 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: kex.h,v 1.129 2026/03/05 05:40:36 djm Exp $ */
 
 /*
  * Copyright (c) 2000, 2001 Markus Friedl.  All rights reserved.
@@ -114,6 +114,7 @@ enum kex_exchange {
 #define KEX_RSA_SHA2_512_SUPPORTED     0x0010 /* only set in server for now */
 #define KEX_HAS_PING                   0x0020
 #define KEX_HAS_EXT_INFO_IN_AUTH       0x0040
+#define KEX_HAS_NEWAGENT               0x0080 /* only set in client */
 
 /* kex->pq */
 #define KEX_NOT_PQ                     0

diff --git a/mux.c b/mux.c
index 9cf3e7815ff13de97c3e8adf9d9e7e7f39a02a33..5e20c7760a6c454ea71125f6a1dc7ccd22f9a4b5 100644 (file)
--- a/mux.c
+++ b/mux.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: mux.c,v 1.111 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: mux.c,v 1.112 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Copyright (c) 2002-2008 Damien Miller <djm@openbsd.org>
  *
@@ -1435,12 +1435,8 @@ mux_session_confirm(struct ssh *ssh, int id, int success, void *arg)
                }
        }
 
-       if (cctx->want_agent_fwd && options.forward_agent) {
-               debug("Requesting authentication agent forwarding.");
-               channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
-               if ((r = sshpkt_send(ssh)) != 0)
-                       fatal_fr(r, "send");
-       }
+       if (cctx->want_agent_fwd && options.forward_agent)
+               client_channel_reqest_agent_forwarding(ssh, id);
 
        client_session2_setup(ssh, id, cctx->want_tty, cctx->want_subsys,
            cctx->term, &cctx->tio, c->rfd, cctx->cmd, cctx->env);

diff --git a/session.c b/session.c
index 227881ec94ffeb457188ef826407c01d160b6209..93de35d7c5e39db05048593f4ba6f5467764ec05 100644 (file)
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.347 2026/02/08 15:28:01 dtucker Exp $ */
+/* $OpenBSD: session.c,v 1.348 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
  *                    All rights reserved
@@ -183,7 +183,7 @@ auth_sock_cleanup_proc(struct passwd *pw)
 }
 
 static int
-auth_input_request_forwarding(struct ssh *ssh, struct passwd * pw)
+auth_input_request_forwarding(struct ssh *ssh, struct passwd *pw, int agent_new)
 {
        Channel *nc;
        int sock = -1;
@@ -211,6 +211,7 @@ auth_input_request_forwarding(struct ssh *ssh, struct passwd * pw)
            CHAN_X11_WINDOW_DEFAULT, CHAN_X11_PACKET_DEFAULT,
            0, "auth socket", 1);
        nc->path = xstrdup(auth_sock_name);
+       nc->agent_new = agent_new;
        return 1;
 
  authsock_err:
@@ -2131,7 +2132,7 @@ session_signal_req(struct ssh *ssh, Session *s)
 }
 
 static int
-session_auth_agent_req(struct ssh *ssh, Session *s)
+session_auth_agent_req(struct ssh *ssh, Session *s, int agent_new)
 {
        static int called = 0;
        int r;
@@ -2144,12 +2145,11 @@ session_auth_agent_req(struct ssh *ssh, Session *s)
                debug_f("agent forwarding disabled");
                return 0;
        }
-       if (called) {
+       if (called)
                return 0;
-       } else {
-               called = 1;
-               return auth_input_request_forwarding(ssh, s->pw);
-       }
+
+       called = 1;
+       return auth_input_request_forwarding(ssh, s->pw, agent_new);
 }
 
 int
@@ -2178,7 +2178,9 @@ session_input_channel_req(struct ssh *ssh, Channel *c, const char *rtype)
                } else if (strcmp(rtype, "x11-req") == 0) {
                        success = session_x11_req(ssh, s);
                } else if (strcmp(rtype, "auth-agent-req@openssh.com") == 0) {
-                       success = session_auth_agent_req(ssh, s);
+                       success = session_auth_agent_req(ssh, s, 0);
+               } else if (strcmp(rtype, "agent-req") == 0) {
+                       success = session_auth_agent_req(ssh, s, 1);
                } else if (strcmp(rtype, "subsystem") == 0) {
                        success = session_subsystem_req(ssh, s);
                } else if (strcmp(rtype, "env") == 0) {

diff --git a/ssh.c b/ssh.c
index cb8651bcec80ee98faf7d4df1415afb520b95c4a..9d8fb0a83758a4d7d47cb969aac5ca24927bec23 100644 (file)
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.627 2026/03/03 09:57:25 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.628 2026/03/05 05:40:36 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -2194,7 +2194,6 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg)
 {
        extern char **environ;
        const char *display, *term;
-       int r;
        char *proto = NULL, *data = NULL;
 
        if (!success)
@@ -2216,12 +2215,8 @@ ssh_session2_setup(struct ssh *ssh, int id, int success, void *arg)
        }
 
        check_agent_present();
-       if (options.forward_agent) {
-               debug("Requesting authentication agent forwarding.");
-               channel_request_start(ssh, id, "auth-agent-req@openssh.com", 0);
-               if ((r = sshpkt_send(ssh)) != 0)
-                       fatal_fr(r, "send packet");
-       }
+       if (options.forward_agent)
+               client_channel_reqest_agent_forwarding(ssh, id);
 
        if ((term = lookup_env_in_list("TERM", options.setenv,
            options.num_setenv)) == NULL || *term == '\0')