Is it possible to add %u for local user to ControlPath's argument in the portable version of OpenSSH?

Peter Fischer petrus69 at gmx.de
Fri Apr 20 01:12:37 EST 2007


Hi!

>From man 5 ssh_config

>      ControlPath
>              Specify the path to the control socket used for connection sharing as described in the
>              ControlMaster section above or the string ``none'' to disable connection sharing.  In
>              the path, `%l' will be substituted by the local host name, `%h' will be substituted by
>              the target host name, `%p' the port, and `%r' by the remote login username.  It is rec-
>              ommended that any ControlPath used for opportunistic connection sharing include at least
>              %h, %p, and %r.  This ensures that shared connections are uniquely identified.

Question:
Could you please add an %u for the local user to the control path
setting? *pleeze* ;)

With the latest OpenSSH version on Gentoo linux
> me at myhost ~ % ssh -V
> OpenSSH_4.6p1-hpn12v16, OpenSSL 0.9.8d 28 Sep 2006

using %u gives this error:
> me at myhost ~ % ssh qqgss at dbha30.muc
> percent_expand: unknown key %u

>From http://marc.info/?l=openssh-unix-dev&m=111856810721769&w=2 and
followups I learned that it is availible in the BSD version since a few
years ago.

If %u was availible one could put

ControlMaster	auto
ControlPath	/tmp/%u@%L->%r@%h:%p

in /etc/ssh/ssh_config

and all users on a machine would benefit from connection sharing with
two centrally maintained lines of configuration and without the
following problem.

DESCRIPTION:
============
/etc/ssh/ssh_config settings are:
> ControlMaster	auto
> ControlPath	/tmp/%l->%r@%h:%p # because %u does not work

user1 on localmachine sshs to remoteaccount on remotemachine,
socket looks like:

> localmachine ~ # ls -l /tmp
> srw------- 1 user1 user1 0 19. Apr 14:05 localmachine->remoteaccount at remotemachine:22=

if now user2 on localmachine tries the same, he gets an error message

> user2 at localmachine ~ % ssh remoteaccount at remotemachine
> Control socket connect(/tmp/localmachine->remoteaccount at remotemachine:22): Permission denied
> ControlSocket /tmp/localmachine->remoteaccount at remotemachine:22 already exists

because user1 owns a connection sharing socket of that name already.

If one could use %u in ControlPath's argument, sockets would look like
> localmachine ~ # ls -l /tmp
> srw------- 1 user1 user1 0 19. Apr 14:06 user1 at localmachine->remoteaccount at remotemachine:22=
> srw------- 1 user2 user2 0 19. Apr 14:07 user2 at localmachine->remoteaccount at remotemachine:22=

and user1 as well as user2 could experience fast subsequent ssh
connections to remoteaccount at remotemachine.

Alternatives would be:
> ControlPath	~/.ssh/%r@%h:%p

...but I do not like the idea of a cluttered ~/.ssh/ with stale entries
(/tmp is usually maintained/uncluttered by tmpreaper etc, mine is on a
tmpfs, also some users' ~ are filled to the quota sometimes)

or one would have to maintain some lines in every ~/.ssh/config in every
user's home...
> ControlMaster	auto
> ControlPath	/tmp/username@%l->%r@%h:%p # because %u does not work

:(


Thank you for reading,

	Peter




More information about the openssh-unix-dev mailing list