[Bug 2310] New: functionality to start process before ssh and/or to "wrap" such command around ssh

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Nov 8 12:11:35 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2310

            Bug ID: 2310
           Summary: functionality to start process before ssh and/or to
                    "wrap" such command around ssh
           Product: Portable OpenSSH
           Version: 6.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sftp
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.net

Hi.

This feature request basically evolved out of a post[0] on the
mailinglist, where however no one came up with a really clean solution.

What I basically would want is something like LocalCommand, just that
is run "before".

Now of course starting a command before ssh, can be done via shell
script wrapping and that like.
The disadvantage here is however, that I cannot easily start commands
on a per host basis, unless I write my own parser for SSH config files,
which also takes things like CanonicaliseHostnames into account.

Typical example for starting something *before* ssh would be, e.g.
kinit, that requests a kerberos ticket, or perhaps (for certain special
hosts) brining up some ppp network route or whatever.



But actually "just" starting something before ssh isn't the only thing
I'd wish:
My thinking goes also into "wrapping" another command around ssh,
mainly something like k5start[1] or krenew[1], which would greatly
simply connecting to hosts from different(!) realms.


I'm not sure though, how easy the later can be done,...

If it would work, one might need to take security implications into
account, especially when this is used together with control channel
multiplexing.
I remember, that some things where then fixed for *all* further
connections via that control socket, even if the later ssh wasn't
invoked with such option.
If the same would e.g. apply to transmission of kerberos credentials,
than all further connections could accidentally inherit the credentials
from the first one, started with k5start wrapped around.



Cheers,
Chris.


[0]
https://lists.mindrot.org/pipermail/openssh-unix-dev/2014-October/033082.html
[1] http://www.eyrie.org/~eagle/software/kstart/

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list