Subject: Re: agent support

Re: agent support

From: Peter Stuge <peter_at_stuge.se>
Date: Thu, 17 Jun 2010 08:52:03 +0200

Thomas Stover wrote:
> thomas_at_K-9:~/src/libssh2-1.2.7-20100617/example$
> LD_LIBRARY_PATH=/home/thomas/lib/ ./ssh2_agent 127.0.0.1 thomas
..
> [libssh2] 0.736258 Failure Event: 0 - agent list id failed

This message is slightly worrying. I'm not actually sure where it
comes from. The string 'agent list id failed' seems not to be in
libssh2 at all. :\

> [libssh2] 0.736267 Userauth: Attempting publickey authentication
> => libssh2_transport_write plain (334 bytes)
> 0000: 32 00 00 00 06 74 68 6F 6D 61 73 00 00 00 0E 73 : 2....thomas....s
> 0010: 73 68 2D 63 6F 6E 6E 65 63 74 69 6F 6E 00 00 00 : sh-connection...
> 0020: 09 70 75 62 6C 69 63 6B 65 79 00 00 00 00 07 73 : .publickey.....s
> 0030: 73 68 2D 72 73 61 00 00 01 14 00 00 00 07 73 73 : sh-rsa........ss
> 0040: 68 2D 72 73 61 00 00 00 01 25 00 00 01 00 7E 6A : h-rsa....%....~j
> 0050: 1C D7 9F F4 8D 8D 79 33 0E 88 A5 9F DF 89 11 7C : ......y3.......|
> 0060: B7 42 E1 67 C3 8E 1A 96 71 1C 4B C9 16 81 20 CB : .B.g....q.K... .
..

But clearly keys in the agent can be used for auth still, or this
packet wouldn't go out.

> [libssh2] 0.736401 Transport: Looking for packet of type: 52
> [libssh2] 0.736403 Transport: Looking for packet of type: 51
> [libssh2] 0.736406 Transport: Looking for packet of type: 60
> [libssh2] 0.736409 Socket: Error recving 16384 bytes to 0x18fb508+0: 11
> [libssh2] 0.736412 Failure Event: -37 - Would block
> Authentication with username thomas and public key
> /home/thomas/.ssh/identity failed!

This shows a bug. Looking at the code agrees. One could argue this is
a bug in the example but I really hate that libssh2 insists on the
IMO useless non-blocking approach in every single instance so I argue
that this is a bug in the agent code, or maybe even in
_libssh2_userauth_publickey().

Anyway, documentation and code for libssh2_agent_userauth()
disagrees, and the code is returning -37 or LIBSSH2_ERROR_EAGAIN from
the lower layers of libssh2, which means that the caller should just
try again, but the example interprets this as failure which is also
what the man page indicates.

I do not want to have agent ops be non-blocking, but on the other
hand I want none of libssh2 to be non-blocking. While this gets
discussed further you could try the attached patch, Thomas.

> btw, did I just post my private key?

No, the public key. The private key is never sent over the wire and
not in any debug messages.

//Peter

Received on 2010-06-17