Fixes to ssh-agent issues

PowerShell/Win32-OpenSSH#1263
Issue: ssh-agent is using default sign algorithm, without considering related flags in request
Fix: parse flags and consider sign algorithm input

PowerShell/Win32-OpenSSH#1234
Issue: ssh-agent has old logic to lookup sshd account
Fix: remove this redundant logic

contrib/win32/win32compat/ssh-agent/agent.c

@@ -227,8 +227,6 @@ con_type_to_string(struct agent_connection* con)
 		return "restricted user";
 	case ADMIN_USER:
 		return "administrator";
-	case SSHD_SERVICE:
-		return "sshd service";
 	case SYSTEM:
 		return "system";
 	case SERVICE:
@@ -243,7 +241,6 @@ get_con_client_info(struct agent_connection* con)
 {
 	int r = -1;
 	char sid[SECURITY_MAX_SID_SIZE];
-	wchar_t *sshd_act = L"NT SERVICE\\SSHD", *ref_dom = NULL;
 	ULONG client_pid;
 	DWORD reg_dom_len = 0, info_len = 0, sid_size;
 	DWORD sshd_sid_len = 0;
@@ -273,38 +270,6 @@ get_con_client_info(struct agent_connection* con)
 		goto done;
 	}
 
-	/* check if its SSHD service */
-	{
-		/* Does NT Service/SSHD exist */
-		LookupAccountNameW(NULL, sshd_act, NULL, &sshd_sid_len, NULL, &reg_dom_len, &nuse);
-
-		if (GetLastError() == ERROR_NONE_MAPPED)
-			debug3("Cannot look up SSHD account, its likely not installed");
-		else if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) {
-			error("LookupAccountNameW on SSHD account failed with %d", GetLastError());
-			goto done;
-		}
-		else {
-			if ((sshd_sid = malloc(sshd_sid_len)) == NULL ||
-				(ref_dom = (wchar_t*)malloc(reg_dom_len * 2)) == NULL ||
-				LookupAccountNameW(NULL, sshd_act, sshd_sid, &sshd_sid_len, ref_dom, &reg_dom_len, &nuse) == FALSE)
-				goto done;
-
-			if (EqualSid(info->User.Sid, sshd_sid)) {
-				con->client_type = SSHD_SERVICE;
-				r = 0;
-				goto done;
-			}
-			if (CheckTokenMembership(client_impersonation_token, sshd_sid, &isMember) == FALSE)
-				goto done;
-			if (isMember) {
-				con->client_type = SSHD_SERVICE;
-				r = 0;
-				goto done;
-			}
-		}
-	}
-
 	/* check if its LS or NS */
 	if (IsWellKnownSid(info->User.Sid, WinNetworkServiceSid) ||
 		IsWellKnownSid(info->User.Sid, WinLocalServiceSid)) {
@@ -335,8 +300,6 @@ done:
 
 	if (sshd_sid)
 		free(sshd_sid);
-	if (ref_dom)
-		free(ref_dom);
 	if (info)
 		free(info);
 	if (client_primary_token)

contrib/win32/win32compat/ssh-agent/agent.h

@@ -33,7 +33,6 @@ struct agent_connection {
 		UNKNOWN = 0,
 		NONADMIN_USER, /* client is running as a nonadmin user */
 		ADMIN_USER, /* client is running as admin */
-		SSHD_SERVICE, /* client is sshd service */
 		SYSTEM, /* client is running as System */
 		SERVICE, /* client is running as LS or NS */
 	} client_type;

contrib/win32/win32compat/ssh-agent/keyagent-request.c

@@ -204,7 +204,7 @@ static int sign_blob(const struct sshkey *pubkey, u_char ** sig, size_t *siglen,
 	HKEY reg = 0, sub = 0, user_root = 0;
 	int r = 0, success = 0;
 	struct sshkey* prikey = NULL;
-	char *thumbprint = NULL, *regdata = NULL;
+	char *thumbprint = NULL, *regdata = NULL, *algo = NULL;
 	DWORD regdatalen = 0, keyblob_len = 0;
 	struct sshbuf* tmpbuf = NULL;
 	char *keyblob = NULL;
@@ -225,8 +225,13 @@ static int sign_blob(const struct sshkey *pubkey, u_char ** sig, size_t *siglen,
 	    (tmpbuf = sshbuf_from(keyblob, keyblob_len)) == NULL)
 		goto done;
 
+	if (flags & SSH_AGENT_RSA_SHA2_256)
+		algo = "rsa-sha2-256";
+	else if (flags & SSH_AGENT_RSA_SHA2_512)
+		algo = "rsa-sha2-512";
+
 	if (sshkey_private_deserialize(tmpbuf, &prikey) != 0 ||
-	    sshkey_sign(prikey, sig, siglen, blob, blen, NULL, 0) != 0) {
+	    sshkey_sign(prikey, sig, siglen, blob, blen, algo, 0) != 0) {
 		debug("cannot sign using retrieved key");
 		goto done;
 	}
@@ -272,9 +277,7 @@ process_sign_request(struct sshbuf* request, struct sshbuf* response, struct age
 		goto done;
 	}
 
-	/* TODO - flags?*/
+	if (sign_blob(key, &signature, &slen, data, dlen, flags, con) != 0)
-
-	if (sign_blob(key, &signature, &slen, data, dlen, 0, con) != 0)
 		goto done;
 
 	success = 1;