ProxyCommand that creates identity file
Damien Miller
djm at mindrot.org
Fri Nov 10 14:03:32 AEDT 2017
On Thu, 9 Nov 2017, John Maguire wrote:
> Hi there,
>
> I'm working on a project to write a ProxyCommand that reaches out to an SSH
> CA to receive an SSH certificate prior to the connection. The ProxyCommand
> also creates a tunnel to the upstream SSH server.
>
> When using ProxyCommand alone, the issue is that the identity files are
> loaded as soon as SSH has fork/exec'd the process. It does not wait for a
> valid server negotiation.
>
> I found the ProxyUseFdPass flag which seemed promising -- here, the
> identity files weren't loaded until after the file descriptors are passed
> back to the SSH client. Perhaps I could fetch the identity file, return the
> fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so
> this doesn't work either -- I need the process to stay open to tunnel data.
>
> I considered trying to fork, disown the child, and run the tunnel inside
> the child, but unfortunately I am working with Golang, which doesn't allow
> forking (except to execute another application.)
>
> I'm looking for any tips on how I might be able to work around this
> problem. I'd also be interested in understanding why the identity files are
> loaded prior to negotiating a valid server connection.
I don't think you'll be able to achieve what you want with a ProxyCommand -
as far as ssh is concerned, it's just a dumb pipe.
Couldn't you do it as a wrapper to ssh that does the CA operations then
launches ssh with an explicit ProxyCommand argument?
Otherwise, you might want to check out https://github.com/sevlyar/go-daemon
-- it seems to allow a daemon()-like operation that could let you use
fd passing.
-d
More information about the openssh-unix-dev
mailing list