Mailing List Archive: OpenSSH: Dev

Feature request: "SetupCommand" invoked before connecting

Index | Next | Previous | View Threaded

helmut at subdivi

Jul 8, 2009, 3:03 PM

Post #1 of 11 (1711 views)
Permalink

Feature request: "SetupCommand" invoked before connecting

Hi,

(I'm not subscribed to the list, so please CC me on reply.)

I'd like to request adding a feature to OpenSSH:

Task:
~~~~~
It is quite sometime useful to invoke a program prior to connecting to
an ssh server. The most common use case will probably be port knocking.
That is a small program sends certain packets to a server and the server
reacts to this by unlocking the ssh port, which would be blocked
otherwise to defend against brute force attacks.

Solutions:
~~~~~~~~~~
1) (Ab)using ProxyCommand. This is employed in some howtos on port
knocking. It however has the disadvantage that TCPKeepAlive and some
timeout options are no longer honoured.
2) Wrapping ssh. While this does not disable other options like above
one has to create a second option parser for ssh. Furthermore
configuration that belongs to ssh is now located somewhere else (not
in .ssh/config). The approach may also fail when third party
applications that invoke ssh reset $PATH.
3) Extending ssh itself using a new configuration item "SetupCommand":

Sample Implementation:
~~~~~~~~~~~~~~~~~~~~~~
I propose adding a new configuration item "SetupCommand" for the ssh
client software. It would accept a string that is treated exactly the
same as LocalCommand. As with LocalCommand it should also be ignored
when PermitLocalCommand is disabled. Otherwise the command should be
executed right before connecting to the server.

I created a patch against 5.1p1 and tested it (attached).

What do you think about this:

1) Is option 3 the best approach or did I overlook something?
2) Is this useful enough to patch ssh?
3) Can this implementation be used or do we need something better?

Thanks in advance

Helmut

Attachments:

setupcommand.diff (3.75 KB)

djm at mindrot

Jul 8, 2009, 8:54 PM

Post #2 of 11 (1654 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

On Thu, 9 Jul 2009, Helmut Grohne wrote:

> Sample Implementation:
> ~~~~~~~~~~~~~~~~~~~~~~
> I propose adding a new configuration item "SetupCommand" for the ssh
> client software. It would accept a string that is treated exactly the
> same as LocalCommand. As with LocalCommand it should also be ignored
> when PermitLocalCommand is disabled. Otherwise the command should be
> executed right before connecting to the server.

If you need to do work before a ssh session, why not just make a shell
script and, optionally, alias ssh to point to your shell script?

-d
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

helmut at subdivi

Jul 9, 2009, 12:16 AM

Post #3 of 11 (1649 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

On Thu, Jul 09, 2009 at 01:54:18PM +1000, Damien Miller wrote:
> If you need to do work before a ssh session, why not just make a shell
> script and, optionally, alias ssh to point to your shell script?

This was listed as solution 2. An alias will especially not work with
programs like scp (and I don't want to change every location I invoke
ssh). One can still add a second ssh program in $PATH, but that would
require parsing ssh options to find out which host is to be connected.
Configuration that belongs to ssh would also be separated from ssh. All
in all the proposed addition of a configuration item looks much cleaner
to me. Still all mentioned solutions work including this one.

Helmut
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

Jul 9, 2009, 4:37 AM

Post #4 of 11 (1646 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

Helmut Grohne wrote:
> > If you need to do work before a ssh session, why not just make a
> > shell script and, optionally, alias ssh to point to your shell
> > script?
>
> This was listed as solution 2. An alias will especially not work
> with programs like scp

Why not? Note: Rename the original ssh binary and your script is the
new ssh.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

helmut at subdivi

Jul 13, 2009, 11:34 AM

Post #5 of 11 (1627 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

Please CC me in a reply, so I don't have to watch out for replies in
mailing list archives.

Peter Stuge wrote:
> Why not? Note: Rename the original ssh binary and your script is the
> new ssh.

This does not work with an alias. Adding a wrapper still imposes the
disadvantages mentioned before (second option parser, scattered
configuration). Yes, it will work (around).

All I'm saying is that there is a cleaner solution.

Workarounds I've seen:
* http://trac.cipherdyne.org/trac/fwknop/browser/fwknop/trunk/patches
(would be obsoleted by this patch)
* http://marc.info/?l=openssh-unix-dev&m=115303182509343&w=2
(cleaner solution by this patch)

Feature also requested:
* http://lists.mindrot.org/pipermail/openssh-unix-dev/2006-July/024463.html

Helmut
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

peter at stuge

Jul 13, 2009, 3:47 PM

Post #6 of 11 (1628 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

Hi again Helmut,

(Please don't cc me, I am on the list.)

Helmut Grohne wrote:
> Please CC me in a reply, so I don't have to watch out for replies
> in mailing list archives.

No problem!

> Peter Stuge wrote:
> > Why not? Note: Rename the original ssh binary and your script is
> > the new ssh.
>
> This does not work with an alias.

How do you mean alias? Shell alias? No, that's not the wrapper script
that was suggested, so it doesn't do the trick.

> Adding a wrapper still imposes the disadvantages mentioned before
> (second option parser, scattered configuration). Yes, it will work
> (around).

Sorry, I don't understand which disadvantages you refer to. The
suggestion is to rename the original ssh binary from ssh to for
example ssh.orig and then to create a script named ssh which does
everything you need, before finally execing ssh.orig.

//Peter
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

dkg at fifthhorseman

Jul 13, 2009, 4:18 PM

Post #7 of 11 (1626 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

On 07/13/2009 06:47 PM, Peter Stuge wrote:
> Helmut Grohne wrote:
>> Adding a wrapper still imposes the disadvantages mentioned before
>> (second option parser, scattered configuration). Yes, it will work
>> (around).
>
> Sorry, I don't understand which disadvantages you refer to. The
> suggestion is to rename the original ssh binary from ssh to for
> example ssh.orig and then to create a script named ssh which does
> everything you need, before finally execing ssh.orig.

I think the disadvantage Helmut was referring to is when you want a
script that does something smart based on the options with which OpenSSH
is invoked.

For example, when ssh'ing to machines A, and B, first execute a known
port-knock sequence on the relevant host. Before connecting to machines
in domain X, add a given key to the ssh agent. Before connecting to
machine C, which is known to have a volatile yet published host key,
refresh its host key from a trusted source. When connecting as user U
to machine D, verify that a given smartcard is present before connecting
to avoid triggering an overeager packetfilter. When connecting to
non-standard ports on machine E, pre-fetch authentication credentials
from a particular kerberos domain.

In each of these examples, the invoking script needs to know at least
the name of the target host for the invoked connection. In the more
sophisticated examples, it might want to know the port number, username.
I can imagine more complex examples where it would be useful to know
things like whether a pseudoterminal was requested, or local or remote
port forwarding.

I think the point of the original poster is that any wrapper script
would need to be able to effectively parse all the relevant options (and
at least know enough to ignore the irrelevant ones). This means
implementing an SSH command-line and configfile option parser in the
wrapper script before re-execing ssh itself.

This seems wasteful and difficult to maintain, as a perfectly good ssh
command-line and configfile option parser already exists, in the form of
the OpenSSH codebase.

The proposed SetupCommand (if it were allowed to contain the same
%-escaped substitudions as, say, ControlPath) would be useful in all the
examples above, as the command could be given the exact options
explicitly, without needing to worry about option parsing.

I think such a command would be a useful feature.

--dkg

Attachments:

signature.asc (0.87 KB)

helmut at subdivi

Jul 13, 2009, 11:37 PM

Post #8 of 11 (1626 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

Hi Peter,

On Tue, Jul 14, 2009 at 12:47:09AM +0200, Peter Stuge wrote:
> How do you mean alias? Shell alias? No, that's not the wrapper script
> that was suggested, so it doesn't do the trick.

A shell alias was the original suggestion.

> Sorry, I don't understand which disadvantages you refer to. The
> suggestion is to rename the original ssh binary from ssh to for
> example ssh.orig and then to create a script named ssh which does
> everything you need, before finally execing ssh.orig.

The disadvantage of parsing ssh options was kindly explained by Daniel
in a follow up post, thanks!

What I mean with separating configuration is that I'd have to store what
commands execute before which ssh somewhere. One option is to add a
second configuration file. Now ssh configuration is stored at two
places. This is not a big problem, but considered a disadvantage. The
other option is to encode this configuration in comments to be added to
~/.ssh/config like for instance "#@SetupCommand foo". It really is a
hack. Additionally a configuration parser is needed now. On the other
hand it now integrates nicely with host specifications.

Yes, all this is doable and I can also create a software for that. Would
you include such a wrapper in the ssh distribution? This sounds silly.

What I'd like to see is the ability to use machine X (not maintained by
me) and be able to use port knocking easily. This is easy when all
distributions ship an openssh that provides something like SetupCommand.
Replacing the ssh command is tedious, so it will not happen in practise.
Instead workarounds like abusing ProxyCommand will be used.

Helmut
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

jrollins at finestructure

Jul 14, 2009, 11:18 AM

Post #9 of 11 (1613 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

On Mon, Jul 13, 2009 at 07:18:54PM -0400, Daniel Kahn Gillmor wrote:
> The proposed SetupCommand (if it were allowed to contain the same
> %-escaped substitudions as, say, ControlPath) would be useful in all the
> examples above, as the command could be given the exact options
> explicitly, without needing to worry about option parsing.
>
> I think such a command would be a useful feature.

I agree. I think this would be a very useful feature indeed.

jamie.

Attachments:

signature.asc (0.82 KB)

helmut at subdivi

Jul 17, 2010, 4:38 PM

Post #10 of 11 (705 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

Hi,

On Thu, Jul 09, 2009 at 12:03:37AM +0200, Helmut Grohne wrote:
> (I'm not subscribed to the list, so please CC me on reply.)
>
> I'd like to request adding a feature to OpenSSH:
>
> Task:
> ~~~~~
> It is quite sometime useful to invoke a program prior to connecting to
> an ssh server. The most common use case will probably be port knocking.
> That is a small program sends certain packets to a server and the server
> reacts to this by unlocking the ssh port, which would be blocked
> otherwise to defend against brute force attacks.

I proposed a SetupCommand earlier and got a few responses. Both Daniel
Kahn Gillmor and Jameson Rollins were in favour of merging my patch.
However the merge did not happen so far. What is keeping you from
merging it?

Damien Miller and Peter Stuge questioned the usefulness. I explained
that, but never got any follow up question. Were my arguments
insufficient?

Helmut
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

dkg at fifthhorseman

Jul 19, 2010, 1:30 PM

Post #11 of 11 (685 views)
Permalink

Re: Feature request: "SetupCommand" invoked before connecting [In reply to]

On 07/17/2010 07:38 PM, Helmut Grohne wrote:
> I proposed a SetupCommand earlier and got a few responses. Both Daniel
> Kahn Gillmor and Jameson Rollins were in favour of merging my patch.
> However the merge did not happen so far. What is keeping you from
> merging it?

Neither Jameson nor myself has commit access to the canonical OpenSSH
repo, so we simply can't do any merges.

You pointed out that the main reason you didn't want to use ProxyCommand
for this was because TcpKeepAlive (and some other options?) would
therefore have no effect.

However, a patch for #1766 (exporting the ssh config to child processes)
would allow you to propagate the relevant choices to the ProxyCommand:

https://bugzilla.mindrot.org/show_bug.cgi?id=1766

Fixing 1766 would also enable fixes to other bugs (like #1233), so it
seems more generically useful to me than a specific SetupCommand hook,
which only solves your particular problem.

I recommend filing your SetupCommand patch as an issue in
https://bugzilla.mindrot.org/ so there is a canonical place for public
commentary.

Regards,

--dkg

Attachments:

signature.asc (0.87 KB)

Index | Next | Previous | View Threaded

Interested in having your list archived? Contact Gossamer Threads