update openssh blog article with new methods for callback

Signed-off-by: Nico Schottelius <nico@bento.schottelius.org>
This commit is contained in:
Nico Schottelius 2013-05-17 16:43:28 +02:00
parent 1d6e9bc557
commit d65daa6de7

View file

@ -83,6 +83,52 @@ space separated:
controlhost % echo $SSH_REMOTE_FORWARDING_PORTS controlhost % echo $SSH_REMOTE_FORWARDING_PORTS
59056 1234 59056 1234
### Use socat
Adapted from a proposal of
[Philipp Marek](http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-May/031350.html).
A different approach is using socat like this:
targethost% socat TCP:localhost:22,retry=forever "EXEC:ssh controlhost"
controlhost% cat .ssh/authorized_keys
command="~/myscript 1224" ssh-rsa ...
controlhost% cat ~/myscript
socat - TCP-LISTEN:1234 &
ssh -p 1234 ...
The drawback with this solution is to use pre-defined ports
as well as socat on the targethost exiting after the
first connection has been closed. It works for a single shot
callback, though.
### Use ProxyCommand with stdin/stdout
As proposed by
[Darren Tucker](http://lists.mindrot.org/pipermail/openssh-unix-dev/2013-May/031353.html) (some parts are copied & pasted from his original mail):
# Create fifo/named pipe for sshd
targethost% mkfifo sshd_in sshd_out
# Start ssh on the controlhost from the targethost
# and create a control socket. Use ProxyCommand=-
# to make use of stdin/stdout for proxying packets through.
targethost$ ssh <sshd_in >sshd_out -T -y controlhost "ssh -y -N -T -MS/tmp/ctl -oProxyCommand=- targethost" &
# Start a new sshd on the client, which listens on the newly
# created fifos
targethost$ /usr/sbin/sshd -i -f < sshd_in > sshd_out
# on the server, use the control socket to talk to the
# sshd running on the targethost
controlhost% ssh -S /tmp/ctl targethost
Drawback: Quite complicated setup required, thus probably error prone on day-to-day use.
Advantage: Very beautiful use of FIFOs, ssh, controlsockets and proxycommand. A setup
every geek must love.
## Limitations ## Limitations
The given patch has some known limitations: The given patch has some known limitations: