Out-of-band data + SSH Agent forwarding (Take 2)

configure.ac

@@ -164,13 +164,21 @@ AS_IF([test x"$with_utempter" != xno],
       [AC_MSG_WARN([Unable to find libutempter; utmp entries will not be made.])],
       [AC_MSG_ERROR([--with-utempter was given but libutempter was not found.])])])])
 
+# Handle --disable-agent-forwarding
+AC_ARG_ENABLE(agent-forwarding,
+              AS_HELP_STRING([--disable-agent-forwarding],
+                             [disable ssh agent forwarding in compile time]),
+              , enable_agent_forwarding=yes)
+
+
 AC_SEARCH_LIBS([compress], [z], , [AC_MSG_ERROR([Unable to find zlib.])])
 
 AC_SEARCH_LIBS([socket], [socket])
 AC_SEARCH_LIBS([inet_addr], [nsl])
 
 # Checks for header files.
 AC_CHECK_HEADERS([m4_normalize([
+  errno.h
   fcntl.h
   langinfo.h
   limits.h
@@ -198,6 +206,8 @@ AC_CHECK_HEADERS([endian.h sys/endian.h])
 AC_CHECK_HEADERS([utmpx.h])
 AC_CHECK_HEADERS([termio.h])
 AC_CHECK_HEADERS([sys/uio.h])
+AC_CHECK_HEADERS([sys/un.h])
+AC_CHECK_HEADERS([sys/types.h])
 
 # Checks for typedefs, structures, and compiler characteristics.
 AC_HEADER_STDBOOL
@@ -366,6 +376,11 @@ AC_CHECK_DECL([IUTF8],
   [AC_MSG_WARN([No IUTF8 termios mode; character-erase of multibyte character sequence probably does not work properly in canonical mode on this platform.])],
   [[#include <termios.h>]])
 
+if test "$enable_agent_forwarding" = "yes"; then
+  AC_DEFINE([SUPPORT_AGENT_FORWARDING], [], [
+    Define to enable support for SSH agent forwarding])
+fi
+
 # Checks for protobuf
 PKG_CHECK_MODULES([protobuf], [protobuf])
 
@@ -378,6 +393,7 @@ AC_CONFIG_FILES([
   src/protobufs/Makefile
   src/statesync/Makefile
   src/terminal/Makefile
+  src/agent/Makefile
   src/util/Makefile
   scripts/Makefile
   src/examples/Makefile

man/mosh.1

@@ -98,6 +98,11 @@ OpenSSH command to remotely execute mosh-server on remote machine (default: "ssh
 
 An alternate ssh port can be specified with, \fIe.g.\fP, \-\-ssh="ssh \-p 2222".
 
+.TP
+.B \-\-forward-agent
+Enable ssh authentication agent forwarding. If you use this, please be
+aware of the security implications.
+
 .TP
 .B \-\-predict=\fIWHEN\fP
 Controls use of speculative local echo. WHEN defaults to `adaptive'
@@ -112,6 +117,10 @@ confident. This generally means a previous prediction on the same row
 of the terminal has been confirmed by the server, without any
 intervening control character keystrokes.
 
+.TP
+.B \-A
+Synonym for \-\-forward-agent
+
 .TP
 .B \-a
 Synonym for \-\-predict=always

scripts/mosh

@@ -53,6 +53,8 @@ my $ssh = 'ssh';
 
 my $term_init = 1;
 
+my $forward_agent = 0;
+
 my $help = undef;
 my $version = undef;
 
@@ -81,6 +83,8 @@ qq{Usage: $0 [options] [--] [user@]host [command...]
                                 (example: "ssh -p 2222")
                                 (default: "ssh")
 
+-A      --forward-agent      enable ssh agent forwarding
+
         --no-init            do not send terminal initialization string
 
         --help               this message
@@ -118,6 +122,8 @@ GetOptions( 'client=s' => \$client,
 	    '6' => sub { $family = 'inet6' },
 	    'p=s' => \$port_request,
 	    'ssh=s' => \$ssh,
+            'A' => \$forward_agent,
+            'forward-agent!' => \$forward_agent,
 	    'init!' => \$term_init,
 	    'help' => \$help,
 	    'version' => \$version,
@@ -247,6 +253,10 @@ if ( $pid == 0 ) { # child
 
   my @server = ( 'new' );
 
+  if ( $forward_agent ) {
+    push @server, ( '-A' );
+  }
+
   push @server, ( '-c', $colors );
 
   push @server, @bind_arguments;
@@ -307,7 +317,14 @@ if ( $pid == 0 ) { # child
   $ENV{ 'MOSH_KEY' } = $key;
   $ENV{ 'MOSH_PREDICTION_DISPLAY' } = $predict;
   $ENV{ 'MOSH_NO_TERM_INIT' } = '1' if !$term_init;
-  exec {$client} ("$client @cmdline |", $ip, $port);
+
+  my @client_av = ();
+  if ( $forward_agent ) {
+    push @client_av, ( '-A' );
+  }
+  push @client_av, ( $ip, $port );
+
+  exec {$client} ("$client @cmdline |", @client_av);
 }
 
 sub shell_quote { join ' ', map {(my $a = $_) =~ s/'/'\\''/g; "'$a'"} @_ }

src/Makefile.am

@@ -1 +1 @@
-SUBDIRS = protobufs util crypto terminal network statesync frontend examples tests
+SUBDIRS = protobufs util crypto terminal network statesync agent frontend examples tests

src/agent/Makefile.am

@@ -0,0 +1,7 @@
+AM_CPPFLAGS = -I$(srcdir)/../util -I$(srcdir)/../network -I$(srcdir)/../protobufs  $(protobuf_CFLAGS) -I$(srcdir)/../crypto $(TINFO_CFLAGS)
+AM_CXXFLAGS = $(WARNING_CXXFLAGS) $(PICKY_CXXFLAGS) $(HARDEN_CFLAGS) $(MISC_CXXFLAGS)
+
+noinst_LIBRARIES = libmoshagent.a
+
+libmoshagent_a_SOURCES = agent.h agent.cc
+