Hi, I've noticed some ssh behaviour that I wish didn't happen. I was wondering if someone can explain how I can stop it from happening, or explain why it's unavoidable. If I ssh-with-agent-forwarding from one host to a second host, and on the second host use something like nohup/screen/tmux/daemon, and from within that new process session, start a long-running command via ssh-without-agent-forwarding on a third host, I would expect to be able to (e.g.) detach from the screen session and log out of the second host, but my shell prompt on the first host doesn't come back and even Ctrl-C won't break the connection between ssh on the first host and sshd on the second host. I have to close the xterm window that the shell and ssh are running in. If I don't do that, the shell prompt doesn't come back until the long-running command on the third host has completed. To see what I mean: - on host1: Have ssh-agent running with an identity loaded - on host1: "xterm &" (start an xterm on similar) - on host1 in xterm: "ssh -A host2" (ssh-with-agent-forwarding to host2) - on host2: "screen" (start a screen session) - on host2 in screen: "ssh -a host3 sleep 60" (long-running cmd on host3) - on host2 in screen: Ctrl-a d (detach from the screen session) - on host2: Ctrl-d (log out of host2) - on host1: wait a long time for the shell prompt to appear or close xterm host1 ssh: OpenSSH_8.1p1, OpenSSL 1.1.1g 21 Apr 2020 host2 ssh: OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019 host3 ssh: OpenSSH_7.4p1 Debian-10+deb9u7, OpenSSL 1.0.2u 20 Dec 2019 In other words, I want the agent to be forwarded to host2, so that I can then ssh from there to host3, but I don't want the agent to be forwarded to host3 because it's not needed there. Note that my real command was rsync so both host2 and host3 were involved. My hypothesis is that agent forwarding has something to do with why the connection between host1 and host2 isn't cleanly closed. Using lsof to compare sshd before and after starting the long-running command on host3, the only difference was this: --- lsof.20786.sshd.before 2020-03-12 09:17:04.000000000 +1100 +++ lsof.20786.sshd.after 2020-03-12 09:18:32.000000000 +1100 @@ -71,5 +71,6 @@ sshd 20786 raf 7w FIFO sshd 20786 raf 8w FIFO 0,10 0t0 14325237 pipe sshd 20786 raf 9u unix 0xffff99a3a8d96000 0t0 14325238 /tmp/ssh-KBbJCuYltB/agent.20786 type=STREAM sshd 20786 raf 10u CHR 5,2 0t0 1119 /dev/ptmx +sshd 20786 raf 11u unix 0xffff99a3e8d2cc00 0t0 14328304 /tmp/ssh-KBbJCuYltB/agent.20786 type=STREAM sshd 20786 raf 12u CHR 5,2 0t0 1119 /dev/ptmx sshd 20786 raf 13u CHR 5,2 0t0 1119 /dev/ptmx i.e. a new connection to the agent socket, even though agent forwarding to host3 was disabled with -a. When I first saw that, I added the -a option to the ssh command to host3 (I have agent forwarding on by config). To my surprise, it didn't change this behaviour, the second connection to the agent socket was still created, and I still had to close the xterm window to break the connection between host1 and host2. Any suggestions? cheers, raf _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
