On Thu, 9 Nov 2017, John Maguire wrote: > Hi there, > > I'm working on a project to write a ProxyCommand that reaches out to an SSH > CA to receive an SSH certificate prior to the connection. The ProxyCommand > also creates a tunnel to the upstream SSH server. > > When using ProxyCommand alone, the issue is that the identity files are > loaded as soon as SSH has fork/exec'd the process. It does not wait for a > valid server negotiation. > > I found the ProxyUseFdPass flag which seemed promising -- here, the > identity files weren't loaded until after the file descriptors are passed > back to the SSH client. Perhaps I could fetch the identity file, return the > fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so > this doesn't work either -- I need the process to stay open to tunnel data. > > I considered trying to fork, disown the child, and run the tunnel inside > the child, but unfortunately I am working with Golang, which doesn't allow > forking (except to execute another application.) > > I'm looking for any tips on how I might be able to work around this > problem. I'd also be interested in understanding why the identity files are > loaded prior to negotiating a valid server connection. I don't think you'll be able to achieve what you want with a ProxyCommand - as far as ssh is concerned, it's just a dumb pipe. Couldn't you do it as a wrapper to ssh that does the CA operations then launches ssh with an explicit ProxyCommand argument? Otherwise, you might want to check out https://github.com/sevlyar/go-daemon -- it seems to allow a daemon()-like operation that could let you use fd passing. -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev