and to be clear (since it looks like messages crossed on the wire), this ssh setup works for every ssh use-case: rsync, GIT_SSH, scp, etc. one cool thing about this setup is that if you run one of those commands and you don't have a cert, the user is prompted to auth for a cert before ssh/scp is exec'd. On Thu, Nov 9, 2017 at 7:20 PM, Peter Moody <mindrot@xxxxxxxx> wrote: > I've done this exact thing > > the short answer is, what damian said, have the command that reaches > out to the ca fork/exec ssh. eg. > > Match Host <your hosts> > ProxyCommand ssh_cert_script -W %h:%p > > and then you end your ssh_cert_script with something like 'exec ssh ${*}' > > or, in go: > > > // end of func main() { > if len(args) > 1 { > execSSH(args[1:]) > } > } > > > func execSSH(sshArgs []string) { > path, err := exec.LookPath("ssh") > if err != nil { > log.Fatalf("%v\n", err) > } > > sshArgs = append([]string{path}, sshArgs...) > if err = syscall.Exec(sshArgs[0], sshArgs, os.Environ()); err != nil { > log.Fatalf("%v\n", err) > } > } > > On Thu, Nov 9, 2017 at 7:03 PM, Damien Miller <djm@xxxxxxxxxxx> wrote: >> On Thu, 9 Nov 2017, John Maguire wrote: >> >>> Hi there, >>> >>> I'm working on a project to write a ProxyCommand that reaches out to an SSH >>> CA to receive an SSH certificate prior to the connection. The ProxyCommand >>> also creates a tunnel to the upstream SSH server. >>> >>> When using ProxyCommand alone, the issue is that the identity files are >>> loaded as soon as SSH has fork/exec'd the process. It does not wait for a >>> valid server negotiation. >>> >>> I found the ProxyUseFdPass flag which seemed promising -- here, the >>> identity files weren't loaded until after the file descriptors are passed >>> back to the SSH client. Perhaps I could fetch the identity file, return the >>> fds, and then tunnel the traffic. Unfortunately, it blocks on waitpid(), so >>> this doesn't work either -- I need the process to stay open to tunnel data. >>> >>> I considered trying to fork, disown the child, and run the tunnel inside >>> the child, but unfortunately I am working with Golang, which doesn't allow >>> forking (except to execute another application.) >>> >>> I'm looking for any tips on how I might be able to work around this >>> problem. I'd also be interested in understanding why the identity files are >>> loaded prior to negotiating a valid server connection. >> >> I don't think you'll be able to achieve what you want with a ProxyCommand - >> as far as ssh is concerned, it's just a dumb pipe. >> >> Couldn't you do it as a wrapper to ssh that does the CA operations then >> launches ssh with an explicit ProxyCommand argument? >> >> Otherwise, you might want to check out https://github.com/sevlyar/go-daemon >> -- it seems to allow a daemon()-like operation that could let you use >> fd passing. >> >> -d >> _______________________________________________ >> openssh-unix-dev mailing list >> openssh-unix-dev@xxxxxxxxxxx >> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev