ProxyCommand that creates identity file

Peter Moody mindrot at hda3.com
Fri Nov 10 14:27:49 AEDT 2017 

and to be clear (since it looks like messages crossed on the wire),
this ssh setup works for every ssh use-case: rsync, GIT_SSH, scp, etc.

one cool thing about this setup is that if you run one of those
commands and you don't have a cert, the user is prompted to auth for a
cert before ssh/scp is exec'd.

On Thu, Nov 9, 2017 at 7:20 PM, Peter Moody <mindrot at hda3.com> wrote:
> I've done this exact thing
>
> the short answer is, what damian said, have the command that reaches
> out to the ca fork/exec ssh. eg.
>
> Match Host <your hosts>
>   ProxyCommand ssh_cert_script -W %h:%p
>
> and then you end your ssh_cert_script with something like 'exec ssh ${*}'
>
> or, in go:
>
>
> // end of func main()  {
>   if len(args) > 1 {
>       execSSH(args[1:])
>   }
> }
>
>
> func execSSH(sshArgs []string) {
>   path, err := exec.LookPath("ssh")
>   if err != nil {
>     log.Fatalf("%v\n", err)
>   }
>
>   sshArgs = append([]string{path}, sshArgs...)
>   if err = syscall.Exec(sshArgs[0], sshArgs, os.Environ()); err != nil {
>     log.Fatalf("%v\n", err)
>   }
> }
>
> On Thu, Nov 9, 2017 at 7:03 PM, Damien Miller <djm at mindrot.org> wrote:
>> On Thu, 9 Nov 2017, John Maguire wrote:
>>
>>> Hi there,
>>>
>>> I'm working on a project to write a ProxyCommand that reaches out to an SSH
>>> CA to receive an SSH certificate prior to the connection. The ProxyCommand
>>> also creates a tunnel to the upstream SSH server.
>>>
>>> When using ProxyCommand alone, the issue is that the identity files are
>>> loaded as soon as SSH has fork/exec'd the process. It does not wait for a
>>> valid server negotiation.
>>>
>>> I found the ProxyUseFdPass flag which seemed promising -- here, the
>>> identity files weren't loaded until after the file descriptors are passed
>>> back to the SSH client. Perhaps I could fetch the identity file, return the
>>> fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so
>>> this doesn't work either -- I need the process to stay open to tunnel data.
>>>
>>> I considered trying to fork, disown the child, and run the tunnel inside
>>> the child, but unfortunately I am working with Golang, which doesn't allow
>>> forking (except to execute another application.)
>>>
>>> I'm looking for any tips on how I might be able to work around this
>>> problem. I'd also be interested in understanding why the identity files are
>>> loaded prior to negotiating a valid server connection.
>>
>> I don't think you'll be able to achieve what you want with a ProxyCommand -
>> as far as ssh is concerned, it's just a dumb pipe.
>>
>> Couldn't you do it as a wrapper to ssh that does the CA operations then
>> launches ssh with an explicit ProxyCommand argument?
>>
>> Otherwise, you might want to check out https://github.com/sevlyar/go-daemon
>> -- it seems to allow a daemon()-like operation that could let you use
>> fd passing.
>>
>> -d
>> _______________________________________________
>> openssh-unix-dev mailing list
>> openssh-unix-dev at mindrot.org
>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list