[PATCH] close stderr of persistent proxy command if not in debug mode

Steffen Prohaska prohaska at zib.de
Sat Nov 10 23:58:06 AEDT 2018 

> On Oct 27, 2018, at 18:19, Steffen Prohaska <prohaska at zib.de> wrote:
> 
> From: Steffen Prohaska <prohaska at zib.de>
> Date: Sat, 27 Oct 2018 16:52:57 +0200
> Subject: [PATCH] close stderr of persistent proxy command if not in debug mode
> 
> If the parent becomes a new persistent connection master daemon, stderr
> of the proxy command should be detached, too, similar to the master
> daemon's stderr, as changed in
> openssh-portable at d2d6bf864e52af8491a60dd507f85b74361f5da3,
> upstream at 4fb726f0fdcb155ad419913cea10dc4afd409d24 and discussed in
> bz#1988.

Since I haven't received any comments, I'd like to explain in more detail why I think that the patch is relevant.

The problem that the patch solves is a variant of the problem discussed in bz#1988 <https://bugzilla.mindrot.org/show_bug.cgi?id=1988>, i.e. scripts that use stderr unexpectedly hang.  A specific example with Python:

    subprocess.run(['ssh', ...'], capture_output=True, ...)

will hang if ssh starts a new master connection that uses as proxy command.  Python waits for EOF on the stderr child pipe.  But it does not receive EOF if the proxy command keeps stderr open.  With the proposed patch, it works as expected.

The current behavior is confusing and difficult to debug.  The direct child process terminates successfully, but sometimes `run()` does not return.  It returns if the master connection has already been active, but it hangs if ssh opens a new master connection.  One must understand that ssh spawns additional daemon processes, and one of those keeps the stderr pipe open, which is the reason why `run()` does not see EOF and thus does not return.

One possible workaround until the patch has been applied is to not use ProxyJump and use ProxyCommand as follows:

    Host internal.example.org
        ProxyCommand 2>/dev/null ssh -W %h:%p login.example.org

This works because ProxyCommand is executed via a shell `exec ...`, so that `2>/dev/null` closes stderr in the same way as the proposed patch.

Steffen


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: Message signed with OpenPGP
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20181110/3276d5cc/attachment.asc>

More information about the openssh-unix-dev mailing list