gpg-agent's ssh-agent does not handle flags in signing requests properly
Closed, ResolvedPublic

Description

https://tools.ietf.org/html/draft-miller-ssh-agent-02#section-4.5 says:

If the agent does not support the requested flags, or is otherwise
unable or unwilling to generate the signature (e.g. because it
doesn't have the specified key, or the user refused confirmation of a
constrained key), it must reply with a SSH_AGENT_FAILURE message.

but ssh_handler_sign_request in agent/command-ssh.c shows that flags is read and then ignored.

This means that with OpenSSH 7.7, we see the following warning when using gpg-agent as ssh-agent:

warning: agent returned different signature type ssh-rsa (expected rsa-sha2-512)

Related Objects

dkg created this task.Apr 5 2018, 5:43 PM
gniibe claimed this task.Apr 6 2018, 8:51 AM
gniibe changed the task status from Open to Testing.
glow added a subscriber: glow.Apr 6 2018, 9:49 AM
werner closed this task as Resolved.Apr 9 2018, 10:46 PM
werner added a subscriber: werner.

It is in 2.2.6

dkg reopened this task as Open.Apr 10 2018, 12:14 AM

Thanks for the fix! however, the fix only addresses the two flags we currently know about. I've pushed a branch T3880-fix that tries to implement the If the agent does not support the requested flags […] It must reply with a SSH_AGENT_FAILURE message part of the spec.

werner changed the task status from Open to Testing.Apr 10 2018, 8:08 AM

Thanks. I took these patches and simplified them. Not test tested, though,.

gniibe triaged this task as Normal priority.Apr 11 2018, 10:01 AM
gniibe closed this task as Resolved.Dec 13 2018, 3:42 PM