I've done this exact thing the short answer is, what damian said, have the command that reaches out to the ca fork/exec ssh. eg. Match Host <your hosts> ProxyCommand ssh_cert_script -W %h:%p and then you end your ssh_cert_script with something like 'exec ssh ${*}' or, in go: // end of func main() { if len(args) > 1 { execSSH(args[1:]) } } func execSSH(sshArgs []string) { path, err := exec.LookPath("ssh") if err != nil { log.Fatalf("%v\n", err) } sshArgs = append([]string{path}, sshArgs...) if err = syscall.Exec(sshArgs[0], sshArgs, os.Environ()); err != nil { log.Fatalf("%v\n", err) } } On Thu, Nov 9, 2017 at 7:03 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: > On Thu, 9 Nov 2017, John Maguire wrote: > >> Hi there, >> >> I'm working on a project to write a ProxyCommand that reaches out to an SSH >> CA to receive an SSH certificate prior to the connection. The ProxyCommand >> also creates a tunnel to the upstream SSH server. >> >> When using ProxyCommand alone, the issue is that the identity files are >> loaded as soon as SSH has fork/exec'd the process. It does not wait for a >> valid server negotiation. >> >> I found the ProxyUseFdPass flag which seemed promising -- here, the >> identity files weren't loaded until after the file descriptors are passed >> back to the SSH client. Perhaps I could fetch the identity file, return the >> fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so >> this doesn't work either -- I need the process to stay open to tunnel data. >> >> I considered trying to fork, disown the child, and run the tunnel inside >> the child, but unfortunately I am working with Golang, which doesn't allow >> forking (except to execute another application.) >> >> I'm looking for any tips on how I might be able to work around this >> problem. I'd also be interested in understanding why the identity files are >> loaded prior to negotiating a valid server connection. > > I don't think you'll be able to achieve what you want with a ProxyCommand - > as far as ssh is concerned, it's just a dumb pipe. > > Couldn't you do it as a wrapper to ssh that does the CA operations then > launches ssh with an explicit ProxyCommand argument? > > Otherwise, you might want to check out https://github.com/sevlyar/go-daemon > -- it seems to allow a daemon()-like operation that could let you use > fd passing. > > -d > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev@xxxxxxxxxxx > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev