Hi there, I'm working on a project to write a ProxyCommand that reaches out to an SSH CA to receive an SSH certificate prior to the connection. The ProxyCommand also creates a tunnel to the upstream SSH server. When using ProxyCommand alone, the issue is that the identity files are loaded as soon as SSH has fork/exec'd the process. It does not wait for a valid server negotiation. I found the ProxyUseFdPass flag which seemed promising -- here, the identity files weren't loaded until after the file descriptors are passed back to the SSH client. Perhaps I could fetch the identity file, return the fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so this doesn't work either -- I need the process to stay open to tunnel data. I considered trying to fork, disown the child, and run the tunnel inside the child, but unfortunately I am working with Golang, which doesn't allow forking (except to execute another application.) I'm looking for any tips on how I might be able to work around this problem. I'd also be interested in understanding why the identity files are loaded prior to negotiating a valid server connection. Thanks, John _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev