bugzilla-daemon at mindrot.org
2014-Nov-08 01:11 UTC
[Bug 2310] New: functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 Bug ID: 2310 Summary: functionality to start process before ssh and/or to "wrap" such command around ssh Product: Portable OpenSSH Version: 6.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: sftp Assignee: unassigned-bugs at mindrot.org Reporter: calestyo at scientia.net Hi. This feature request basically evolved out of a post[0] on the mailinglist, where however no one came up with a really clean solution. What I basically would want is something like LocalCommand, just that is run "before". Now of course starting a command before ssh, can be done via shell script wrapping and that like. The disadvantage here is however, that I cannot easily start commands on a per host basis, unless I write my own parser for SSH config files, which also takes things like CanonicaliseHostnames into account. Typical example for starting something *before* ssh would be, e.g. kinit, that requests a kerberos ticket, or perhaps (for certain special hosts) brining up some ppp network route or whatever. But actually "just" starting something before ssh isn't the only thing I'd wish: My thinking goes also into "wrapping" another command around ssh, mainly something like k5start[1] or krenew[1], which would greatly simply connecting to hosts from different(!) realms. I'm not sure though, how easy the later can be done,... If it would work, one might need to take security implications into account, especially when this is used together with control channel multiplexing. I remember, that some things where then fixed for *all* further connections via that control socket, even if the later ssh wasn't invoked with such option. If the same would e.g. apply to transmission of kerberos credentials, than all further connections could accidentally inherit the credentials from the first one, started with k5start wrapped around. Cheers, Chris. [0] https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-October/033082.html [1] http://www.eyrie.org/~eagle/software/kstart/ -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-11 04:22 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- This functionality can easily be achieved using shell functions, shell aliases, shell scripts or wrapper binaries. There is no need to add more options to accomplish this. Each new option is a maintenance burden for developers and a cognitive load for users, so they need to be well justified. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-12 02:33 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 --- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net> --- (In reply to Damien Miller from comment #1)> This functionality can easily be achieved using shell functions, > shell aliases, shell scripts or wrapper binaries.Could you please elaborate on how this can be easily achieved the ways you describe, especially when considering that people may use arbitrary HostName definitions or features like CanonicaliseHostname, which would basically make it necessary for any wrapper program to implement a full ssh_config parser. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2014-Dec-12 02:43 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 Christoph Anton Mitterer <calestyo at scientia.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |REOPENED Resolution|WONTFIX |--- --- Comment #3 from Christoph Anton Mitterer <calestyo at scientia.net> --- Actually I've made some further tests on this issue in the meantime and it seems as if there is just some "timing issue", which is why I reopen the issue for now, perhaps you can have a look, whether that could be fixed easily. Remember, what I've basically tried to achieve is to get automated (i.e. passwordless) login to ssh hosts that require a kerberos ticket (+afs) for login and for the home dir access. And not only this, the whole thing should also work for multiple reams, i.e. when I connect to some nodes at CERN I want a ticket for CERN.CH being automatically generated and used with ssh,... while when I contact to the university's nodes, I want the same for the PHYISIK.LMU.DE realm. Okay from the k5start side everything seems to work. What I do is basically $ k5start -q -f kt -K 10 -- user at REALM ssh .... The keytab file (kt) works, and when I run ssh with the above, login works fine as well and the I get an AFS ticket (it's probably created on the server side). Now I try to get the whole thing into ssh_config, because I want all be done automatically and especially for different realms, so I do about the following: Host lxplus.cern.ch GSSAPITrustDns yes Host *.cern.ch User mitterer GSSAPIAuthentication yes GSSAPIDelegateCredentials yes GSSAPIRenewalForcesRekey yes ProxyCommand k5start -q -f kt -K 10 -- mitterer at CERN.CH nc %h %p The usage of ProxyCommand with k5start and nc is a hack here, which I hoped to solve the problem that the ticket is generated before the connection is done,... and nc %h %p simply passes everything through. In other words, this is the trick which I've tried to get the feature what I've asked for in the original submission of this ticket. This however doesn't work, which makes sense, as the ssh process has no way to know where the credential cache is that k5start creates randomly for this program invocation (nc), e.g. at /tmp/krb5cc_1000_VZ7FI5. It also exports KRB5CCNAME='FILE:/tmp/krb5cc_1000_CERN', of course, but this only gets known to nc. At that point, ssh already looked for KRB5CCNAME, didn't find any, and never tries again. Do you see any simple solution to get that working somehow? Maybe even in a completely different way (extending ssh-agent and k5start to interact?) or some other tricky hack? If not, and you still think that adding such feature isn't worth to make ssh nicely usable with kerberos, than just close it again if you feel necessary. Thanks, Chris. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Jun-02 00:12 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 --- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.net> --- Created attachment 2639 --> https://bugzilla.mindrot.org/attachment.cgi?id=2639&action=edit 0001-document-the-group-fallback-behaviour-in-DH-GEX.patch -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2015-Jun-02 00:13 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 --- Comment #5 from Christoph Anton Mitterer <calestyo at scientia.net> --- Comment on attachment 2639 --> https://bugzilla.mindrot.org/attachment.cgi?id=2639 0001-document-the-group-fallback-behaviour-in-DH-GEX.patch wah... again wrong bug... this please delete that attachment. I really hate this "wrap on to the next bug" mis-feature of bugzilla... -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2020-Jan-25 12:51 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|REOPENED |RESOLVED --- Comment #6 from Damien Miller <djm at mindrot.org> --- We don't plan in implementing this. In answer to comment #2, the helper command/alias can use "ssh -G" to resolve the active configuration for most cases. It is true that a helper command/alias is would not be able to see the results of hostname canonicalisation, but it could avoid this by doing that step itself if necessary. I don't think this shortcoming is enough to justify the maintenance burden of another command-execution feature, sorry. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:00 UTC
[Bug 2310] functionality to start process before ssh and/or to "wrap" such command around ssh
https://bugzilla.mindrot.org/show_bug.cgi?id=2310 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #7 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Seemingly Similar Threads
- [Bug 2302] New: ssh (and sshd) should not fall back to deselected KEX algos
- [Bug 2302] New: ssh (and sshd) should not fall back to deselected KEX algos
- [Bug 2287] New: AuthorizedKeysCommandUser should have it's default documented
- [Bug 2354] New: please document that PermitRootLogin really checks for uid=0
- [Bug 2573] New: dead sessions cannot be closed with ~.