We run ssh from a program and needed to add port-forwards dynamically.
The ~C method turns out to be very cumbersome to use since it reads from
/dev/tty. But then I came to think of the master/slave functionality
(which we already used) which seemed a perfect place for this
functionality. Unfortunately it turned out not to be possible to set up
new port forwards in a slave.
So I patched openssh to make it possible to add port forwards via a
slave process. This is done by creating a new command which can be sent
over the control connection (SSHMUX_COMMAND_FORWARD). The patch against
openssh current can be downloaded (13K) from:
http://www.appgate.com/downloads/maf/slavepf-current.patch
I would be happy if other people found it useful and if it could make it
into the official distribution.
/MaF
--
Martin Forssen <maf at appgate.com> Development Manager
Phone: +46 31 7744361 AppGate Network Security AB
On Tue, 30 Oct 2007, maf at appgate.com wrote:> We run ssh from a program and needed to add port-forwards dynamically. > The ~C method turns out to be very cumbersome to use since it reads from > /dev/tty. But then I came to think of the master/slave functionality > (which we already used) which seemed a perfect place for this > functionality. Unfortunately it turned out not to be possible to set up > new port forwards in a slave. > > So I patched openssh to make it possible to add port forwards via a > slave process. This is done by creating a new command which can be sent > over the control connection (SSHMUX_COMMAND_FORWARD). The patch against > openssh current can be downloaded (13K) from: > > http://www.appgate.com/downloads/maf/slavepf-current.patch > > I would be happy if other people found it useful and if it could make it > into the official distribution.Hi, Thanks for this, it seems to implement the approach that I'd planned but haven't had time to do myself. I'll try to get it in for the 4.8 release. To make sure it doesn't get lost, could you please attach this patch to the bug at: https://bugzilla.mindrot.org/show_bug.cgi?id=993 Before you submit it, it would be best if you could review it in light of the style guide[1] - I noticed that it uses spaces instead of tabs and doesn't do indenting quite the same way as the existing code. Thanks, Damien [1] http://www.openbsd.org/cgi-bin/man.cgi?query=style&sektion=9
On Oct 30, 5:57 am, Martin Forssen <maf at appgate.com> wrote:> So I patched openssh to make it possible to add port forwards via a slave process.Hi Martin, Thank you very much -- I've recently been meaning to write something like this myself (but then my firstborn arrived!) I was also wondering about making it "fully transparent", i.e., when the slave exits it would send a message to the master to remove the forwarding -- that is to say, the behaviour a user sees is the same whether or not they're using a ControlMaster. For this, "ssh -NL ..." would not exit straight away as per your patch, but block waiting for interrupts (although it wouldn't actually be fully transparent, because if the slave were SIGKILLed the forwarding would remain. Also it would maybe be kind of weird if a slave "ssh -fNL" left a blocking process). I would also find it useful to have a behaviour like your patch in which the slave adding the forwarding returns immediately, but I wonder if this might best be served using "-O" control messages as per Torsten's original patch, with commands for removing and listing forwardings too. Finally, I was thinking it might be nice if commands passed using "-O" and commands typed at the ~C "ssh>" prompt were the same commands. Do you have any opinion on interface best practice in this respect? Damien, did you have any thoughts on removing or listing forwardings in your planned approach? Best wishes, Hamish