bugzilla-daemon at mindrot.org
2025-Mar-12 00:44 UTC
[Bug 3801] New: Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801
Bug ID: 3801
Summary: Expand TOKENS available in ProxyCommand to support
port forwarding
Product: Portable OpenSSH
Version: 9.9p2
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: bnheise at gmail.com
I would additional tokens to be available in ProxyCommand such that my
ProxyCommand script can identify whether or not port forwarding was
requested in the original command or not. Currently ProxyCommand has no
awareness of what the original command was, so it cannot handle both
cases where the user invoked a normal ssh session or requested port
forwarding.
The additional tokens would ideally include the command (-L, -R, etc),
as well as the local port or socket, the bind address if present, and
any other parameters which may be provided when invoking a
port-forwarding session.
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-12 01:06 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I don't think this is feasible. For one thing there's no trivial 1:1
mapping of forwardings to tokens (there's 3 or 4 different types
depending on exactly what you count, and they each have between 1 and 4
options) and they can be added or removed at runtime via the
EscapeChar/EscapeCharCommandLine.
What is the objective of this exercise?
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-12 04:24 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801 --- Comment #2 from Darren Tucker <dtucker at dtucker.net> --- It's a bit icky, but given you specified you're running on Linux, the ProxyCommand can fish the parent ssh's command line out of /proc/$PPID/cmdline and do whatever it likes with it, eg: $ cat proxycommand #!/bin/sh cmdline=$(xargs -0 </proc/$PPID/cmdline) echo "Parent Command line: $cmdline" >&2 exec nc $1 $2 $chmod a+x proxycommand $ ssh -o proxycommand='./proxycommand %h %p' localhost Parent Command line: ssh -o proxycommand=./proxycommand %h %p localhost Last login: Wed Mar 12 15:18:15 2025 from 127.0.0.1 [etc] -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-12 04:31 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801 --- Comment #3 from Darren Tucker <dtucker at dtucker.net> --- Oh, and one more reason to add to comment#1 about why IMO this is not feasible: each forwarding flag can be invoked multiple times. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-Mar-13 02:40 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #4 from Damien Miller <djm at mindrot.org> ---
you could detect forwardings set up in the config file by replaying the
command-line from comment 2 but adding -G
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 04:03 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |INVALID
Status|NEW |RESOLVED
--- Comment #5 from Darren Tucker <dtucker at dtucker.net> ---
I as discussed above, there's no practical way to implement this as
tokens, and there are other (albeit icky) ways to do what you're asking
for.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2025-May-22 04:12 UTC
[Bug 3801] Expand TOKENS available in ProxyCommand to support port forwarding
https://bugzilla.mindrot.org/show_bug.cgi?id=3801 --- Comment #6 from Darren Tucker <dtucker at dtucker.net> --- Oh, and you'd also need to ensure that EnableEscapeCommandline hasn't been enabled, otherwise a port forwarding can be added in a way that won't show up in either the command line or config. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Maybe Matching Threads
- ControlPath versus ProxyCommand
- Question regarding patch for ProxyCommand setting
- [Bug 3175] New: ssh_config(5) - ProxyCommand should explain semantics
- ControlPath versus ProxyCommand
- How to explicitly define the default setting for ProxyCommand for a particular host