upstream: allow -A to explicitly enable agent forwarding in scp and

sftp. The default remains to not forward an agent, even when ssh_config enables it. ok jmc dtucker markus OpenBSD-Commit-ID: 36cc526aa3b0f94e4704b8d7b969dd63e8576822
2020-08-03 02:43:41 +00:00 · 2020-08-03 02:43:41 +00:00 · a8732d74cb
parent ab9105470a
commit a8732d74cb
4 changed files with 30 additions and 14 deletions
--- a/scp.1
+++ b/scp.1
@ -8,9 +8,9 @@
 .\"
 .\" Created: Sun May  7 00:14:37 1995 ylo
 .\"
-.\" $OpenBSD: scp.1,v 1.89 2020/04/30 18:28:37 jmc Exp $
+.\" $OpenBSD: scp.1,v 1.90 2020/08/03 02:43:41 djm Exp $
 .\"
-.Dd $Mdocdate: April 30 2020 $
+.Dd $Mdocdate: August 3 2020 $
 .Dt SCP 1
 .Os
 .Sh NAME
@ -18,7 +18,7 @@
 .Nd OpenSSH secure file copy
 .Sh SYNOPSIS
 .Nm scp
-.Op Fl 346BCpqrTv
+.Op Fl 346ABCpqrTv
 .Op Fl c Ar cipher
 .Op Fl F Ar ssh_config
 .Op Fl i Ar identity_file
@ -86,6 +86,11 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl A
+Allows forwarding of
+.Xr ssh-agent 1
+to the remote system.
+The default is not to forward an authentication agent.
 .It Fl B
 Selects batch mode (prevents asking for passwords or passphrases).
 .It Fl C
--- a/scp.c
+++ b/scp.c
@ -1,4 +1,4 @@
-/* $OpenBSD: scp.c,v 1.211 2020/05/29 21:22:02 millert Exp $ */
+/* $OpenBSD: scp.c,v 1.212 2020/08/03 02:43:41 djm Exp $ */
 /*
 * scp - secure remote copy.  This is basically patched BSD rcp which
 * uses ssh to do the data transfer (instead of using rcmd).
@ -425,7 +425,6 @@ main(int argc, char **argv)
 	args.list = remote_remote_args.list = NULL;
 	addargs(&args, "%s", ssh_program);
 	addargs(&args, "-x");
-	addargs(&args, "-oForwardAgent=no");
 	addargs(&args, "-oPermitLocalCommand=no");
 	addargs(&args, "-oClearAllForwardings=yes");
 	addargs(&args, "-oRemoteCommand=none");
@ -433,7 +432,7 @@ main(int argc, char **argv)

 	fflag = Tflag = tflag = 0;
 	while ((ch = getopt(argc, argv,
-	    "dfl:prtTvBCc:i:P:q12346S:o:F:J:")) != -1) {
+	    "12346ABCTdfpqrtvF:J:P:S:c:i:l:o:")) != -1) {
 		switch (ch) {
 		/* User-visible flags. */
 		case '1':
@ -442,6 +441,7 @@ main(int argc, char **argv)
 		case '2':
 			/* Ignored */
 			break;
+		case 'A':
 		case '4':
 		case '6':
 		case 'C':
@ -523,6 +523,9 @@ main(int argc, char **argv)
 	argc -= optind;
 	argv += optind;

+	/* Do this last because we want the user to be able to override it */
+	addargs(&args, "-oForwardAgent=no");
+
 	if ((pwd = getpwuid(userid = getuid())) == NULL)
 		fatal("unknown user %u", (u_int) userid);

@ -1593,7 +1596,7 @@ void
 usage(void)
 {
 	(void) fprintf(stderr,
-	    "usage: scp [-346BCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
+	    "usage: scp [-346ABCpqrTv] [-c cipher] [-F ssh_config] [-i identity_file]\n"
 	    "            [-J destination] [-l limit] [-o ssh_option] [-P port]\n"
 	    "            [-S program] source ... target\n");
 	exit(1);
--- a/sftp.1
+++ b/sftp.1
@ -1,4 +1,4 @@
-.\" $OpenBSD: sftp.1,v 1.131 2020/04/23 21:28:09 jmc Exp $
+.\" $OpenBSD: sftp.1,v 1.132 2020/08/03 02:43:41 djm Exp $
 .\"
 .\" Copyright (c) 2001 Damien Miller.  All rights reserved.
 .\"
@ -22,7 +22,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.Dd $Mdocdate: April 23 2020 $
+.Dd $Mdocdate: August 3 2020 $
 .Dt SFTP 1
 .Os
 .Sh NAME
@ -30,7 +30,7 @@
 .Nd OpenSSH secure file transfer
 .Sh SYNOPSIS
 .Nm sftp
-.Op Fl 46aCfNpqrv
+.Op Fl 46AaCfNpqrv
 .Op Fl B Ar buffer_size
 .Op Fl b Ar batchfile
 .Op Fl c Ar cipher
@ -104,6 +104,11 @@ to use IPv4 addresses only.
 Forces
 .Nm
 to use IPv6 addresses only.
+.It Fl A
+Allows forwarding of
+.Xr ssh-agent 1
+to the remote system.
+The default is not to forward an authentication agent.
 .It Fl a
 Attempt to continue interrupted transfers rather than overwriting
 existing partial or complete copies of files.
--- a/sftp.c
+++ b/sftp.c
@ -1,4 +1,4 @@
-/* $OpenBSD: sftp.c,v 1.200 2020/04/03 05:53:52 jmc Exp $ */
+/* $OpenBSD: sftp.c,v 1.201 2020/08/03 02:43:41 djm Exp $ */
 /*
 * Copyright (c) 2001-2004 Damien Miller <djm@openbsd.org>
 *
@ -2363,7 +2363,7 @@ usage(void)
 	extern char *__progname;

 	fprintf(stderr,
-	    "usage: %s [-46aCfNpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n"
+	    "usage: %s [-46AaCfNpqrv] [-B buffer_size] [-b batchfile] [-c cipher]\n"
 	    "          [-D sftp_server_path] [-F ssh_config] [-i identity_file]\n"
 	    "          [-J destination] [-l limit] [-o ssh_option] [-P port]\n"
 	    "          [-R num_requests] [-S program] [-s subsystem | sftp_server]\n"
@ -2401,7 +2401,6 @@ main(int argc, char **argv)
 	args.list = NULL;
 	addargs(&args, "%s", ssh_program);
 	addargs(&args, "-oForwardX11 no");
-	addargs(&args, "-oForwardAgent no");
 	addargs(&args, "-oPermitLocalCommand no");
 	addargs(&args, "-oClearAllForwardings yes");

@ -2409,9 +2408,10 @@ main(int argc, char **argv)
 	infile = stdin;

 	while ((ch = getopt(argc, argv,
-	    "1246afhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
+	    "1246AafhNpqrvCc:D:i:l:o:s:S:b:B:F:J:P:R:")) != -1) {
 		switch (ch) {
 		/* Passed through to ssh(1) */
+		case 'A':
 		case '4':
 		case '6':
 		case 'C':
@ -2511,6 +2511,9 @@ main(int argc, char **argv)
 		}
 	}

+	/* Do this last because we want the user to be able to override it */
+	addargs(&args, "-oForwardAgent no");
+
 	if (!isatty(STDERR_FILENO))
 		showprogress = 0;