add support for identityagent ssh_config option

This commit adds an `agent_socket` field to the session options and connects the config parser to that option. `SSH_OPTIONS_IDENTITY_AGENT` is added to allow applications to set this option for themselves. agent.c is updated to take the `agent_socket` value in preference to the `SSH_AUTH_SOCK` environment variable. Signed-off-by: Wez Furlong <wez@fb.com> Reviewed-by: Andreas Schneider <asn@cryptomilk.org>
2021-07-20 17:50:44 -07:00 · 2021-07-20 17:50:44 -07:00 · 51a53cc6d4
--- a/include/libssh/config.h
+++ b/include/libssh/config.h
@ -61,6 +61,7 @@ enum ssh_config_opcode_e {
    SOC_PUBKEYAUTHENTICATION,
    SOC_PUBKEYACCEPTEDKEYTYPES,
    SOC_REKEYLIMIT,
+    SOC_IDENTITYAGENT,

    SOC_MAX /* Keep this one last in the list */
 };
--- a/include/libssh/libssh.h
+++ b/include/libssh/libssh.h
@ -407,6 +407,7 @@ enum ssh_options_e {
  SSH_OPTIONS_REKEY_DATA,
  SSH_OPTIONS_REKEY_TIME,
  SSH_OPTIONS_RSA_MIN_SIZE,
+  SSH_OPTIONS_IDENTITY_AGENT,
 };

 enum {
--- a/include/libssh/session.h
+++ b/include/libssh/session.h
@ -219,6 +219,7 @@ struct ssh_session_struct {
        char *ProxyCommand;
        char *custombanner;
        char *moduli_file;
+        char *agent_socket;
        unsigned long timeout; /* seconds */
        unsigned long timeout_usec;
        unsigned int port;
--- a/src/agent.c
+++ b/src/agent.c
@ -220,7 +220,8 @@ static int agent_connect(ssh_session session) {
  if (session->agent->channel != NULL)
    return 0;

-  auth_sock = getenv("SSH_AUTH_SOCK");
+  auth_sock = session->opts.agent_socket ?
+    session->opts.agent_socket : getenv("SSH_AUTH_SOCK");

  if (auth_sock && *auth_sock) {
    if (ssh_socket_unix(session->agent->sock, auth_sock) < 0) {
--- a/src/config.c
+++ b/src/config.c
@ -104,7 +104,7 @@ static struct ssh_config_keyword_table_s ssh_config_keyword_table[] = {
  { "hostbasedacceptedalgorithms", SOC_UNSUPPORTED},
  { "hostkeyalias", SOC_UNSUPPORTED},
  { "identitiesonly", SOC_UNSUPPORTED},
-  { "identityagent", SOC_UNSUPPORTED},
+  { "identityagent", SOC_IDENTITYAGENT},
  { "ipqos", SOC_UNSUPPORTED},
  { "kbdinteractivedevices", SOC_UNSUPPORTED},
  { "nohostauthenticationforlocalhost", SOC_UNSUPPORTED},
@ -1161,6 +1161,12 @@ ssh_config_parse_line(ssh_session session,
      SSH_LOG(SSH_LOG_INFO, "Unknown option: %s, line: %d",
              keyword, count);
      break;
+    case SOC_IDENTITYAGENT:
+      p = ssh_config_get_str_tok(&s, NULL);
+      if (p && *parsing) {
+          ssh_options_set(session, SSH_OPTIONS_IDENTITY_AGENT, p);
+      }
+      break;
    default:
      ssh_set_error(session, SSH_FATAL, "ERROR - unimplemented opcode: %d",
              opcode);
--- a/src/options.c
+++ b/src/options.c
@ -476,6 +476,11 @@ int ssh_options_set_algo(ssh_session session,
 *                Setting 0 will revert the value to defaults.
 *                Default is 1024 bits or 2048 bits in FIPS mode.
 *                (int *)
+
+ *              - SSH_OPTIONS_IDENTITY_AGENT
+ *                Set the path to the SSH agent socket. If unset, the
+ *                SSH_AUTH_SOCK environment is consulted.
+ *                (const char *)
 *
 * @param  value The value to set. This is a generic pointer and the
 *               datatype which is used should be set according to the
@ -1056,6 +1061,22 @@ int ssh_options_set(ssh_session session, enum ssh_options_e type,
                session->opts.rsa_min_size = *x;
            }
            break;
+        case SSH_OPTIONS_IDENTITY_AGENT:
+            v = value;
+            SAFE_FREE(session->opts.agent_socket);
+            if (v == NULL) {
+                /* The default value will be set by the ssh_options_apply() */
+            } else if (v[0] == '\0') {
+                ssh_set_error_invalid(session);
+                return -1;
+            } else {
+                session->opts.agent_socket = ssh_path_expand_tilde(v);
+                if (session->opts.agent_socket == NULL) {
+                    ssh_set_error_oom(session);
+                    return -1;
+                }
+            }
+            break;
        default:
            ssh_set_error(session, SSH_REQUEST_DENIED, "Unknown ssh option %d", type);
            return -1;
--- a/src/socket.c
+++ b/src/socket.c
@ -445,7 +445,8 @@ int ssh_socket_unix(ssh_socket s, const char *path)
 #endif

    if (connect(fd, (struct sockaddr *) &sunaddr, sizeof(sunaddr)) < 0) {
-        ssh_set_error(s->session, SSH_FATAL, "Error from connect(): %s",
+        ssh_set_error(s->session, SSH_FATAL, "Error from connect(%s): %s",
+                      path,
                      strerror(errno));
        CLOSE_SOCKET(fd);
        return -1;