ProxyCommand that creates identity file

Peter Moody mindrot at
Fri Nov 10 14:20:50 AEDT 2017

I've done this exact thing

the short answer is, what damian said, have the command that reaches
out to the ca fork/exec ssh. eg.

Match Host <your hosts>
  ProxyCommand ssh_cert_script -W %h:%p

and then you end your ssh_cert_script with something like 'exec ssh ${*}'

or, in go:

// end of func main()  {
  if len(args) > 1 {

func execSSH(sshArgs []string) {
  path, err := exec.LookPath("ssh")
  if err != nil {
    log.Fatalf("%v\n", err)

  sshArgs = append([]string{path}, sshArgs...)
  if err = syscall.Exec(sshArgs[0], sshArgs, os.Environ()); err != nil {
    log.Fatalf("%v\n", err)

On Thu, Nov 9, 2017 at 7:03 PM, Damien Miller <djm at> wrote:
> On Thu, 9 Nov 2017, John Maguire wrote:
>> Hi there,
>> I'm working on a project to write a ProxyCommand that reaches out to an SSH
>> CA to receive an SSH certificate prior to the connection. The ProxyCommand
>> also creates a tunnel to the upstream SSH server.
>> When using ProxyCommand alone, the issue is that the identity files are
>> loaded as soon as SSH has fork/exec'd the process. It does not wait for a
>> valid server negotiation.
>> I found the ProxyUseFdPass flag which seemed promising -- here, the
>> identity files weren't loaded until after the file descriptors are passed
>> back to the SSH client. Perhaps I could fetch the identity file, return the
>> fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so
>> this doesn't work either -- I need the process to stay open to tunnel data.
>> I considered trying to fork, disown the child, and run the tunnel inside
>> the child, but unfortunately I am working with Golang, which doesn't allow
>> forking (except to execute another application.)
>> I'm looking for any tips on how I might be able to work around this
>> problem. I'd also be interested in understanding why the identity files are
>> loaded prior to negotiating a valid server connection.
> I don't think you'll be able to achieve what you want with a ProxyCommand -
> as far as ssh is concerned, it's just a dumb pipe.
> Couldn't you do it as a wrapper to ssh that does the CA operations then
> launches ssh with an explicit ProxyCommand argument?
> Otherwise, you might want to check out
> -- it seems to allow a daemon()-like operation that could let you use
> fd passing.
> -d
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at

More information about the openssh-unix-dev mailing list