ssh-agent: Add global option to enable or disable destination contraints

Signed-off-by: Konrad Vité <[email protected]>

Author: kgraefe

src/core/Config.cpp

@@ -183,6 +183,7 @@ static const QHash<Config::ConfigKey, ConfigDirective> configStrings = {
     {Config::SSHAgent_Enabled, {QS("SSHAgent/Enabled"), Roaming, false}},
     {Config::SSHAgent_UseOpenSSH, {QS("SSHAgent/UseOpenSSH"), Roaming, false}},
     {Config::SSHAgent_UsePageant, {QS("SSHAgent/UsePageant"), Roaming, true} },
+    {Config::SSHAgent_EnableDestinationConstraints, {QS("SSHAgent/EnableDestinationConstraints"), Roaming, false} },
     {Config::SSHAgent_AuthSockOverride, {QS("SSHAgent/AuthSockOverride"), Local, {}}},
     {Config::SSHAgent_SecurityKeyProviderOverride, {QS("SSHAgent/SecurityKeyProviderOverride"), Local, {}}},
 

src/core/Config.h

@@ -162,6 +162,7 @@ class Config : public QObject
         SSHAgent_Enabled,
         SSHAgent_UseOpenSSH,
         SSHAgent_UsePageant,
+        SSHAgent_EnableDestinationConstraints,
         SSHAgent_AuthSockOverride,
         SSHAgent_SecurityKeyProviderOverride,
 

src/sshagent/AgentSettingsWidget.cpp

@@ -35,7 +35,20 @@ AgentSettingsWidget::AgentSettingsWidget(QWidget* parent)
     m_ui->sshAuthSockMessageWidget->setVisible(sshAgent()->isEnabled());
     m_ui->sshAuthSockMessageWidget->setCloseButtonVisible(false);
     m_ui->sshAuthSockMessageWidget->setAutoHideTimeout(-1);
+
+    m_ui->destinationConstraintsMessageWidget->setVisible(sshAgent()->enableDestinationConstraints());
+    m_ui->destinationConstraintsMessageWidget->setCloseButtonVisible(false);
+    m_ui->destinationConstraintsMessageWidget->setAutoHideTimeout(-1);
+    m_ui->destinationConstraintsMessageWidget->showMessage(
+        tr("Destination contrains can have unexpected side effects. "
+           "Make sure to read the "
+           "<a href=\"https://keepassxc.org/docs/#faq-ssh-agent-destination-constraints\">documentation</a>."),
+        MessageWidget::Warning);
+
     connect(m_ui->enableSSHAgentCheckBox, SIGNAL(stateChanged(int)), SLOT(toggleSettingsEnabled()));
+    connect(m_ui->enableDestinationConstraintsCheckBox,
+            SIGNAL(stateChanged(int)),
+            SLOT(toggleDestinationConstraintsEnabled()));
 }
 
 AgentSettingsWidget::~AgentSettingsWidget()
@@ -66,6 +79,9 @@ void AgentSettingsWidget::loadSettings()
 
     m_ui->sshAuthSockMessageWidget->setVisible(sshAgentEnabled);
 
+    auto destinationConstraintsEnabled = sshAgent()->enableDestinationConstraints();
+    m_ui->enableDestinationConstraintsCheckBox->setChecked(destinationConstraintsEnabled);
+
     if (sshAgentEnabled) {
 #ifndef Q_OS_WIN
         if (sshAuthSock.isEmpty() && sshAuthSockOverride.isEmpty()) {
@@ -98,10 +114,16 @@ void AgentSettingsWidget::saveSettings()
     sshAgent()->setUsePageant(m_ui->usePageantRadioButton->isChecked() || m_ui->useBothRadioButton->isChecked());
     sshAgent()->setUseOpenSSH(m_ui->useOpenSSHRadioButton->isChecked() || m_ui->useBothRadioButton->isChecked());
 #endif
+    sshAgent()->setEnableDestinationConstraints(m_ui->enableDestinationConstraintsCheckBox->isChecked());
     sshAgent()->setEnabled(m_ui->enableSSHAgentCheckBox->isChecked());
 }
 
 void AgentSettingsWidget::toggleSettingsEnabled()
 {
     m_ui->agentConfigPageBody->setEnabled(m_ui->enableSSHAgentCheckBox->isChecked());
 }
+
+void AgentSettingsWidget::toggleDestinationConstraintsEnabled()
+{
+    m_ui->destinationConstraintsMessageWidget->setVisible(m_ui->enableDestinationConstraintsCheckBox->isChecked());
+}

src/sshagent/AgentSettingsWidget.h

@@ -39,6 +39,7 @@ public slots:
     void loadSettings();
     void saveSettings();
     void toggleSettingsEnabled();
+    void toggleDestinationConstraintsEnabled();
 
 private:
     QScopedPointer<Ui::AgentSettingsWidget> m_ui;

src/sshagent/AgentSettingsWidget.ui

@@ -7,7 +7,7 @@
     <x>0</x>
     <y>0</y>
     <width>400</width>
-    <height>300</height>
+    <height>443</height>
    </rect>
   </property>
   <layout class="QVBoxLayout" name="verticalLayout">
@@ -93,6 +93,16 @@
         </property>
        </widget>
       </item>
+      <item>
+       <widget class="QCheckBox" name="enableDestinationConstraintsCheckBox">
+        <property name="text">
+         <string>Enable destination constraints</string>
+        </property>
+       </widget>
+      </item>
+      <item>
+       <widget class="MessageWidget" name="destinationConstraintsMessageWidget" native="true"/>
+      </item>
       <item>
        <layout class="QGridLayout" name="agentValues">
         <property name="topMargin">
@@ -107,26 +117,47 @@
         <property name="verticalSpacing">
          <number>8</number>
         </property>
-        <item row="1" column="0">
-         <widget class="QLabel" name="sshAuthSockOverrideLabel">
+        <item row="3" column="0">
+         <widget class="QLabel" name="sshSecurityKeyProviderOverrideLabel">
           <property name="text">
-           <string>SSH_AUTH_SOCK override</string>
+           <string>SSH_SK_PROVIDER override</string>
           </property>
           <property name="alignment">
            <set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
           </property>
          </widget>
         </item>
-        <item row="0" column="0">
-         <widget class="QLabel" name="sshAuthSockValueLabel">
+        <item row="1" column="1">
+         <widget class="QLineEdit" name="sshAuthSockOverrideEdit"/>
+        </item>
+        <item row="2" column="0">
+         <widget class="QLabel" name="sshSecurityKeyProviderValueLabel">
           <property name="text">
-           <string>SSH_AUTH_SOCK value</string>
+           <string>SSH_SK_PROVIDER value</string>
           </property>
           <property name="alignment">
            <set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
           </property>
          </widget>
         </item>
+        <item row="0" column="1">
+         <widget class="QLabel" name="sshAuthSockLabel">
+          <property name="font">
+           <font>
+            <family>Monospace</family>
+           </font>
+          </property>
+          <property name="text">
+           <string>(empty)</string>
+          </property>
+          <property name="textInteractionFlags">
+           <set>Qt::TextSelectableByKeyboard|Qt::TextSelectableByMouse</set>
+          </property>
+         </widget>
+        </item>
+        <item row="3" column="1">
+         <widget class="QLineEdit" name="sshSecurityKeyProviderOverrideEdit"/>
+        </item>
         <item row="4" column="0">
          <spacer name="verticalSpacer">
           <property name="orientation">
@@ -140,28 +171,20 @@
           </property>
          </spacer>
         </item>
-        <item row="1" column="1">
-         <widget class="QLineEdit" name="sshAuthSockOverrideEdit"/>
-        </item>
-        <item row="0" column="1">
-         <widget class="QLabel" name="sshAuthSockLabel">
-          <property name="font">
-           <font>
-            <family>Monospace</family>
-           </font>
-          </property>
+        <item row="0" column="0">
+         <widget class="QLabel" name="sshAuthSockValueLabel">
           <property name="text">
-           <string>(empty)</string>
+           <string>SSH_AUTH_SOCK value</string>
           </property>
-          <property name="textInteractionFlags">
-           <set>Qt::TextSelectableByKeyboard|Qt::TextSelectableByMouse</set>
+          <property name="alignment">
+           <set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
           </property>
          </widget>
         </item>
-        <item row="2" column="0">
-         <widget class="QLabel" name="sshSecurityKeyProviderValueLabel">
+        <item row="1" column="0">
+         <widget class="QLabel" name="sshAuthSockOverrideLabel">
           <property name="text">
-           <string>SSH_SK_PROVIDER value</string>
+           <string>SSH_AUTH_SOCK override</string>
           </property>
           <property name="alignment">
            <set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
@@ -183,19 +206,6 @@
           </property>
          </widget>
         </item>
-        <item row="3" column="0">
-         <widget class="QLabel" name="sshSecurityKeyProviderOverrideLabel">
-          <property name="text">
-           <string>SSH_SK_PROVIDER override</string>
-          </property>
-          <property name="alignment">
-           <set>Qt::AlignRight|Qt::AlignTrailing|Qt::AlignVCenter</set>
-          </property>
-         </widget>
-        </item>
-        <item row="3" column="1">
-         <widget class="QLineEdit" name="sshSecurityKeyProviderOverrideEdit"/>
-        </item>
        </layout>
       </item>
      </layout>

src/sshagent/SSHAgent.cpp

@@ -98,6 +98,16 @@ void SSHAgent::setUsePageant(bool usePageant)
 }
 #endif
 
+bool SSHAgent::enableDestinationConstraints() const
+{
+    return config()->get(Config::SSHAgent_EnableDestinationConstraints).toBool();
+}
+
+void SSHAgent::setEnableDestinationConstraints(bool enableDestinationConstraints)
+{
+    config()->set(Config::SSHAgent_EnableDestinationConstraints, enableDestinationConstraints);
+}
+
 QString SSHAgent::socketPath(bool allowOverride) const
 {
     QString socketPath;
@@ -305,7 +315,7 @@ bool SSHAgent::addIdentity(OpenSSHKey& key, const KeeAgentSettings& settings, co
         request.writeString(securityKeyProvider());
     }
 
-    if (settings.useDestinationConstraintsWhenAdding()) {
+    if (enableDestinationConstraints() && settings.useDestinationConstraintsWhenAdding()) {
         request.write(SSH_AGENT_CONSTRAIN_EXTENSION);
         request.writeString(QString("[email protected]"));
         encodeDestinationConstraints(settings.destinationConstraints(), request);
@@ -328,7 +338,7 @@ bool SSHAgent::addIdentity(OpenSSHKey& key, const KeeAgentSettings& settings, co
             m_error += "\n" + tr("A confirmation request is not supported by the agent (check options).");
         }
 
-        if (settings.useDestinationConstraintsWhenAdding()) {
+        if (enableDestinationConstraints() && settings.useDestinationConstraintsWhenAdding()) {
             m_error += "\n" + tr("Destination constraints are invalid or not supported by the agent (check options).");
         }
 

src/sshagent/SSHAgent.h

@@ -48,6 +48,8 @@ class SSHAgent : public QObject
     void setUseOpenSSH(bool useOpenSSH);
     void setUsePageant(bool usePageant);
 #endif
+    bool enableDestinationConstraints() const;
+    void setEnableDestinationConstraints(bool enableDestinationConstraints);
 
     const QString errorString() const;
     bool isAgentRunning() const;