Fix SSH agent forwarding handled in wrong request handler#46
Merged
Conversation
Move auth-agent-req@openssh.com handling from handleGlobalRequests (SSH_MSG_GLOBAL_REQUEST) to handleSession (SSH_MSG_CHANNEL_REQUEST), matching the SSH spec and what real clients like Go's agent.RequestAgentForwarding() actually send. The old handler was dead code — real clients send this as a session channel request, which hit the default reject case in handleSession. Tests passed only because they used client.SendRequest() (global) instead of session-scoped requests. Tests now use agent.RequestAgentForwarding(session) to exercise the correct code path, including a same-session end-to-end test that verifies SSH_AUTH_SOCK is set. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
jhrozek
approved these changes
Mar 17, 2026
JAORMX
added a commit
that referenced
this pull request
Mar 17, 2026
Verify the full agent forwarding pipeline after the channel request handler fix in #46: one test confirms a forwarded key is visible via ssh-add, the other confirms graceful failure when the client omits the channel handler. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
auth-agent-req@openssh.comhandling fromhandleGlobalRequests(SSH_MSG_GLOBAL_REQUEST) tohandleSession(SSH_MSG_CHANNEL_REQUEST), matching the SSH spec and what real clients actually sendhandleGlobalRequests— no standard SSH client sends agent forwarding as a global request, so the old handler was never reached in practiceagent.RequestAgentForwarding(session)instead ofclient.SendRequest(...), exercising the correct code path including a same-session end-to-end test verifyingSSH_AUTH_SOCKis setContext
Per the SSH spec and Go's
agent.RequestAgentForwarding(session), theauth-agent-req@openssh.comrequest is sent as a session channel request (SSH_MSG_CHANNEL_REQUEST). It was incorrectly handled inhandleGlobalRequestswhich processesSSH_MSG_GLOBAL_REQUESTpackets. The request would arrive inhandleSession, hit thedefaultcase, and get rejected — agent forwarding never worked for real clients.The existing tests passed because they used
client.SendRequest()(global request) instead ofsession.SendRequest()(channel request), exercising the wrong code path.Test plan
go test -v -race ./guest/sshd/— all 12 tests passCGO_ENABLED=0 go veton non-CGO packages — cleango fmt/go vet— clean🤖 Generated with Claude Code