openssh bugs - Nov 2021 - [Bug 3369] New: Local script, invoked via "Match ... exec <script>" is disconnected from stdin/stdout

https://bugzilla.mindrot.org/show_bug.cgi?id=3369

            Bug ID: 3369
           Summary: Local script, invoked via "Match ... exec
<script>" is
                    disconnected from stdin/stdout
           Product: Portable OpenSSH
           Version: 7.6p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: cponder at nvidia.com

For some context, here's my use-case:

I have an authentication_script that generates a temporary certificate
to log onto a remote system.
I want to call this automatically when I try to connect, *IF* the
certificate has expired.
Here's the entry I use in my ~/.ssh/config to make this happen:

      Match originalhost remote.site exec "test $(file.age %%h
~/.ssh/SITE/certificate) -gt 24" exec "gnome-terminal --
~/.ssh/SITE/authentication_script -o ~/.ssh/SITE/certificate"

This is a bit of a hack in that it runs the script inside a new
terminal-window.
I don't think I should have to do this, I'd like the password prompt to
come out after the command-line in the same session, analogous to what
I'd get when ssh asks for the password.
If I just try to execute the utility

     exec "~/.ssh/SITE/authentication_script -o
~/.ssh/SITE/certificate"

though, I get these error-messages:

     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     authentication_script: The sshproxy server said: Authentication
failed. Failed login: myname: 
     authentication_script: This usually means you did not enter the
correct password or OTP: 
     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     authentication_script: The sshproxy server said: Authentication
failed. Failed login: myname: 
     authentication_script: This usually means you did not enter the
correct password or OTP: 
     stty: 'standard input': Inappropriate ioctl for device

My understanding is that the stdin & stdout have been severed from the
exec-shell where the utility is executed.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3369

--- Comment #1 from Carl Ponder <cponder at nvidia.com> ---
If cutting-off stdin/stdout is done by design, what is the motive for
it?
An enhancement-request would to to enable this in the

     /etc/ssh/ssh_config

with something like

     EnableSubshellIO   yes

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3369

--- Comment #2 from Carl Ponder <cponder at nvidia.com> ---
I've found a suitable workaround for this, by detecting the PTY and
re-directing the input/output to use it:

     PTY=$(ps --no-headers $$ | xargs index 2)
     printf "Enter the password: " > /dev/$PTY
     read -r -s pw < /dev/$PTY

You're welcome to close this as "not a bug" or re-set it to be an
"enhancement request". But I'm still curious why the stdin/stdout
are
disabled.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3369

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |INVALID
             Status|NEW                         |RESOLVED
                 CC|                            |dtucker at dtucker.net

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Carl Ponder from comment #2)
[...]
>      PTY=$(ps --no-headers $$ | xargs index 2)
>      printf "Enter the password: " > /dev/$PTY
>      read -r -s pw < /dev/$PTY
You should be able to use /dev/tty to interact with the controlling
terminal (when ssh has one).
> But I'm still curious why the stdin/stdout are disabled.
Polluting stdin and stdout like that and make ssh useless for shell
pipelines or anything that uses ssh as a transport (eg sftp, scp,
rsync, git).

Anyway, this is working as intended so closing this bug.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3369

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Damien Miller <djm at mindrot.org> ---
closing bugs resolved before openssh-8.9

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.