openssh bugs - Aug 2010 - [Bug 1808] New: "SetupCommand" invoked before connecting

https://bugzilla.mindrot.org/show_bug.cgi?id=1808

           Summary: "SetupCommand" invoked before connecting
           Product: Portable OpenSSH
           Version: 5.6p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: helmut at subdivi.de


Created attachment 1912
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1912
patch against 5.1p1 adding the SetupCommand config option

This bug report is mainly a copy from the mailinglist. See
http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-July/027732.html

Task:
~~~~~
It is quite sometime useful to invoke a program prior to connecting to
an ssh server. The most common use case will probably be port knocking.
That is a small program sends certain packets to a server and the
server
reacts to this by unlocking the ssh port, which would be blocked
otherwise to defend against brute force attacks. Another interested
user is monkeysphere (currently using option 1) below).

Solutions:
~~~~~~~~~~
1) (Ab)using ProxyCommand. This is employed in some howtos on port
   knocking. It however has the disadvantage that TCPKeepAlive and some
   timeout options are no longer honoured.
2) Wrapping ssh. While this does not disable other options like above
   one has to create a second option parser for ssh. Furthermore
   configuration that belongs to ssh is now located somewhere else (not
   in .ssh/config). The approach may also fail when third party
   applications that invoke ssh reset $PATH.
3) Extending ssh itself using a new configuration item "SetupCommand":

Sample Implementation:
~~~~~~~~~~~~~~~~~~~~~~
I propose adding a new configuration item "SetupCommand" for the ssh
client software. It would accept a string that is treated exactly the
same as LocalCommand. As with LocalCommand it should also be ignored
when PermitLocalCommand is disabled. Otherwise the command should be
executed right before connecting to the server.

I created a patch against 5.1p1 and tested it (attached). The patch can
be successfully applied to 5.6p1, too.

Discussion:
~~~~~~~~~~~
After I proposed this patch on the mailinglist (see above) it was
discussed briefly. I try to summarize that discussion:

Damien Miller and Peter Stuge questioned the difficulties of option 2.
A working implementation of that option hasn't been seen yet. Bert
Wesarg mentioned his work on ControlCommand. It is slightly related to
the task above. Daniel Kahn Gillmor and Jameson Rollins (both from the
monkeysphere project) gave additional explanations and generally
appreciated this patch. There were no further responses addressing
these explanations.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1808

Helmut Grohne <helmut at subdivi.de> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |helmut at subdivi.de

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1808

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dkg at fifthhorseman.net

--- Comment #1 from Daniel Kahn Gillmor <dkg at fifthhorseman.net>  ---
I'd be interested in this, but i'm more interested in the proposed
KnownHostsCommand option (#1777), specifically for host key management.

One could use the proposed SetupCommand for host key management, but
only by manually tweaking the known hosts file itself (which might not
be at a known location unless the child processes get passed the full
ssh config (see #1766)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1808

Markus Friedl <markus at openbsd.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |markus at openbsd.org

--- Comment #2 from Markus Friedl <markus at openbsd.org>  ---
(In reply to comment #0)

> Solutions:
> ~~~~~~~~~~
> 1) (Ab)using ProxyCommand. This is employed in some howtos on port
>    knocking. It however has the disadvantage that TCPKeepAlive and some
>    timeout options are no longer honoured.
I don't see how using proxy command for port knocking is an abuse as
TCP keep alives are usually useless.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.