Help with ssh -A, screen, ssh -a, detach, logout

Wed Jun 3 15:55:17 AEST 2020

Hi,

I've noticed some ssh behaviour that I wish didn't
happen. I was wondering if someone can explain how I
can stop it from happening, or explain why it's
unavoidable.

If I ssh-with-agent-forwarding from one host to a
second host, and on the second host use something like
nohup/screen/tmux/daemon, and from within that new
process session, start a long-running command via
ssh-without-agent-forwarding on a third host, I would
expect to be able to (e.g.) detach from the screen
session and log out of the second host, but my shell
prompt on the first host doesn't come back and even
Ctrl-C won't break the connection between ssh on the
first host and sshd on the second host. I have to close
the xterm window that the shell and ssh are running in.
If I don't do that, the shell prompt doesn't come back
until the long-running command on the third host has
completed.

To see what I mean:

  - on host1: Have ssh-agent running with an identity loaded
  - on host1: "xterm &" (start an xterm on similar)
  - on host1 in xterm: "ssh -A host2" (ssh-with-agent-forwarding to host2)
  - on host2: "screen" (start a screen session)
  - on host2 in screen: "ssh -a host3 sleep 60" (long-running cmd on host3)
  - on host2 in screen: Ctrl-a d (detach from the screen session)
  - on host2: Ctrl-d (log out of host2)
  - on host1: wait a long time for the shell prompt to appear or close xterm

  host1 ssh: OpenSSH_8.1p1, OpenSSL 1.1.1g  21 Apr 2020
  host2 ssh: OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u  20 Dec 2019
  host3 ssh: OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u  20 Dec 2019

In other words, I want the agent to be forwarded to
host2, so that I can then ssh from there to host3, but
I don't want the agent to be forwarded to host3 because
it's not needed there. Note that my real command was
rsync so both host2 and host3 were involved.

My hypothesis is that agent forwarding has something to
do with why the connection between host1 and host2
isn't cleanly closed. Using lsof to compare sshd before
and after starting the long-running command on host3,
the only difference was this:

  --- lsof.20786.sshd.before      2020-03-12 09:17:04.000000000 +1100
  +++ lsof.20786.sshd.after       2020-03-12 09:18:32.000000000 +1100
  @@ -71,5 +71,6 @@ sshd    20786  raf    7w  FIFO
   sshd    20786  raf    8w  FIFO               0,10      0t0 14325237 pipe
   sshd    20786  raf    9u  unix 0xffff99a3a8d96000      0t0 14325238 /tmp/ssh-KBbJCuYltB/agent.20786 type=STREAM
   sshd    20786  raf   10u   CHR                5,2      0t0     1119 /dev/ptmx
  +sshd    20786  raf   11u  unix 0xffff99a3e8d2cc00      0t0 14328304 /tmp/ssh-KBbJCuYltB/agent.20786 type=STREAM
   sshd    20786  raf   12u   CHR                5,2      0t0     1119 /dev/ptmx
   sshd    20786  raf   13u   CHR                5,2      0t0     1119 /dev/ptmx

i.e. a new connection to the agent socket, even though
agent forwarding to host3 was disabled with -a.

When I first saw that, I added the -a option to the ssh
command to host3 (I have agent forwarding on by
config). To my surprise, it didn't change this
behaviour, the second connection to the agent socket
was still created, and I still had to close the xterm
window to break the connection between host1 and host2.

Any suggestions?

cheers,
raf