bugzilla-daemon at mindrot.org
2002-May-23 06:27 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223
dtucker at zip.com.au changed:
What |Removed |Added
----------------------------------------------------------------------------
OS/Version|FreeBSD |All
Platform|ix86 |All
Version|3.0.1p1 |-current
------- Additional Comments From dtucker at zip.com.au 2002-05-23 16:27 -------
Also observed on Solaris 7 & 8 with OpenSSH 3.2.2p1. You end up with an
orphaned
sh -c:
$ ps -eaf | grep nc
root 219 218 0 16:18:27 pts/4 0:01 ssh relayhost nc 10.3.1.1 22
root 218 1 0 16:18:27 pts/4 0:00 /bin/sh -c ssh relayhost nc 10.3.1.1 22
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-23 10:02 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From dtucker at zip.com.au 2002-05-23 20:02 ------- Created an attachment (id=103) Kill ProxyCommand child process ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-23 10:05 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From dtucker at zip.com.au 2002-05-23 20:05 ------- I had a poke around and came up with the attached patch to send a SIGTERM to the ProxyCommand child when ssh exits. I also added an explicit exec to the shell command passed to sh -c, which prevents the shell hanging around on Solaris. This problem doesn't seem to exist on Linux but I think the exec is safe for any platform. The remaining problem is that the child process can send an error message to stderr after the SIGTERM. I'm not sure what (if anything) can be done about that: $ ./ssh -o 'ProxyCommand nc localhost 22' localhost echo punt! Feedback welcome but since this is my first attempt to actually modify openssh please be nice :-). ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-25 07:49 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From markus at openbsd.org 2002-05-25 17:49 ------- so 'ProxyCommand exec nc localhost 22' works without any patches? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-25 08:39 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From dtucker at zip.com.au 2002-05-25 18:39 ------- It works but still leaves an orphaned nc (on Solaris anyway): $ ssh -o 'ProxyCommand exec nc localhost 22' localhost echo $ ps -eaf | grep nc dtucker 9919 9049 0 18:23:45 pts/2 0:00 grep nc dtucker 9912 1 1 18:23:40 pts/2 0:00 nc localhost 22 After some more investigation I think there's 2 issues: 1) On all platforms, the child process isn't signalled when ssh exits, leaving them orphaned. 2) On Solaris (and possibly other platforms), running the ProxyCommand without "exec" also leaves an extra "sh -c". Additionally, the "sh -c" ignores SIGHUP and doesn't propogate SIGTERM, so even if ssh kills its child you're still left with 1 orphan rather than 2. FWIW, I've been working on a better patch that fixes 1 by always using exec and fixes 2 by sending SIGHUP (then SIGTERM then SIGKILL) to the child. This seems to be a clean solution. I'm cleaning the patch up for posting now. ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-25 09:33 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From dtucker at zip.com.au 2002-05-25 19:33 ------- Created an attachment (id=104) Updated patch to kill proxycommand child process ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.
bugzilla-daemon at mindrot.org
2002-May-25 09:41 UTC
[Bug 223] ProxyCommand commands don't exit
http://bugzilla.mindrot.org/show_bug.cgi?id=223 ------- Additional Comments From dtucker at zip.com.au 2002-05-25 19:41 ------- OK the new patch seems to work (on Solaris anyway) even in the pathological case. (nc-nosig is netcat modified to ignore all signals). $ ./ssh -v -o 'ProxyCommand ./nc-nosig localhost 22' localhost echo [snip] debug1: Exit status 0 debug1: Terminating ProxyCommand child process pid:10203 debug1: ProxyCommand terminated with signal 9 Neither nc-nosig or the normal netcat leave orphaned processes. The timeout is currently hardcoded at 2 seconds per signal. Is this enough? ------- You are receiving this mail because: ------- You are the assignee for the bug, or are watching the assignee.