Question About Dynamic Remote Forwarding
Damien Miller
djm at mindrot.org
Sat Jun 10 10:05:09 AEST 2023
On Fri, 9 Jun 2023, Chris Rapier wrote:
> Hi all,
>
> When a client requests dynamic remote forwarding with -R it delays forking
> into the background. In ssh.c we see
>
> if (options.fork_after_authentication) {
> if (options.exit_on_forward_failure &&
> options.num_remote_forwards > 0) {
> debug("deferring postauth fork until remote forward "
> "confirmation received");
> } else
> fork_postauth(ssh);
> }
>
>
> This seems to depend on forwarding_success() for it to then call
> fork_postauth.
>
> If I'm reading this correctly the client sends out a number of forward
> requests which is tracked via forward_confirms_pending in ssh.c.
>
> Is there any equivalent on the server side to track the number of received
> requests?
>
> I ask because I'm trying, for various reasons, to trigger a rekey on the
> server side *after* the client forks in a dynamic remote forward scenario. I
> know that the server can't actually know for certain if the client has or
> hasn't forked but if I could track the number of confirmations the server has
> sent I can use that as a reasonable proxy. I could use an ssh control message
> to do this but I'd rather not if I don't have to.
I don't think what you want is possible without a protocol extension. The
server has no notion of the client's fork-after-auth behaviour and has no
way of knowing if/when another forwarding request will come.
Why not have the client ask for the rekey? It's in a better position to
know...
-d
More information about the openssh-unix-dev
mailing list