Feature request: "SetupCommand" invoked before connecting

[Helmut Grohne]

Hi,

(I'm not subscribed to the list, so please CC me on reply.)

I'd like to request adding a feature to OpenSSH:

Task:
~~~~~
It is quite sometime useful to invoke a program prior to connecting to
an ssh server. The most common use case will probably be port knocking.
That is a small program sends certain packets to a server and the server
reacts to this by unlocking the ssh port, which would be blocked
otherwise to defend against brute force attacks.

Solutions:
~~~~~~~~~~
1) (Ab)using ProxyCommand. This is employed in some howtos on port
   knocking. It however has the disadvantage that TCPKeepAlive and some
   timeout options are no longer honoured.
2) Wrapping ssh. While this does not disable other options like above
   one has to create a second option parser for ssh. Furthermore
   configuration that belongs to ssh is now located somewhere else (not
   in .ssh/config). The approach may also fail when third party
   applications that invoke ssh reset $PATH.
3) Extending ssh itself using a new configuration item "SetupCommand":

Sample Implementation:
~~~~~~~~~~~~~~~~~~~~~~
I propose adding a new configuration item "SetupCommand" for the ssh
client software. It would accept a string that is treated exactly the
same as LocalCommand. As with LocalCommand it should also be ignored
when PermitLocalCommand is disabled. Otherwise the command should be
executed right before connecting to the server.

I created a patch against 5.1p1 and tested it (attached).

What do you think about this:

1) Is option 3 the best approach or did I overlook something?
2) Is this useful enough to patch ssh?
3) Can this implementation be used or do we need something better?

Thanks in advance

Helmut
-------------- next part --------------
A non-text attachment was scrubbed...
Name: setupcommand.diff
Type: text/x-diff
Size: 3838 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20090709/0f9aa1c3/attachment.bin>