I've noticed that when I use ProxyCommand commands to connect, the commands do not exit when ssh exits. This results in a bunch of commands piling up on the machine over time. The problem has been observed under: linux-2.2.19+patches, openssh-3.0.1p1 linux-2.2.14+patches, openssh-3.0.1p1 freebsd-4.5-stable, openssh-2.9 localisations 20020307 freebsd-4.3-stalbe, openssh-3.0.2
Also observed on Solaris 7 & 8 with OpenSSH 3.2.2p1. You end up with an orphaned sh -c: $ ps -eaf | grep nc root 219 218 0 16:18:27 pts/4 0:01 ssh relayhost nc 10.3.1.1 22 root 218 1 0 16:18:27 pts/4 0:00 /bin/sh -c ssh relayhost nc 10.3.1.1 22
Created attachment 103 [details] Kill ProxyCommand child process
I had a poke around and came up with the attached patch to send a SIGTERM to the ProxyCommand child when ssh exits. I also added an explicit exec to the shell command passed to sh -c, which prevents the shell hanging around on Solaris. This problem doesn't seem to exist on Linux but I think the exec is safe for any platform. The remaining problem is that the child process can send an error message to stderr after the SIGTERM. I'm not sure what (if anything) can be done about that: $ ./ssh -o 'ProxyCommand nc localhost 22' localhost echo punt! Feedback welcome but since this is my first attempt to actually modify openssh please be nice :-).
so 'ProxyCommand exec nc localhost 22' works without any patches?
It works but still leaves an orphaned nc (on Solaris anyway): $ ssh -o 'ProxyCommand exec nc localhost 22' localhost echo $ ps -eaf | grep nc dtucker 9919 9049 0 18:23:45 pts/2 0:00 grep nc dtucker 9912 1 1 18:23:40 pts/2 0:00 nc localhost 22 After some more investigation I think there's 2 issues: 1) On all platforms, the child process isn't signalled when ssh exits, leaving them orphaned. 2) On Solaris (and possibly other platforms), running the ProxyCommand without "exec" also leaves an extra "sh -c". Additionally, the "sh -c" ignores SIGHUP and doesn't propogate SIGTERM, so even if ssh kills its child you're still left with 1 orphan rather than 2. FWIW, I've been working on a better patch that fixes 1 by always using exec and fixes 2 by sending SIGHUP (then SIGTERM then SIGKILL) to the child. This seems to be a clean solution. I'm cleaning the patch up for posting now.
Created attachment 104 [details] Updated patch to kill proxycommand child process
OK the new patch seems to work (on Solaris anyway) even in the pathological case. (nc-nosig is netcat modified to ignore all signals). $ ./ssh -v -o 'ProxyCommand ./nc-nosig localhost 22' localhost echo [snip] debug1: Exit status 0 debug1: Terminating ProxyCommand child process pid:10203 debug1: ProxyCommand terminated with signal 9 Neither nc-nosig or the normal netcat leave orphaned processes. The timeout is currently hardcoded at 2 seconds per signal. Is this enough?
Created attachment 146 [details] Send HUP to proxycommand on exit. Update to current CVS. This reverts to the simpler approach: it just sends a HUP to the proxycommand on exit.
Fix applied, thanks
Mass change of RESOLVED bugs to CLOSED