Created attachment 1912 [details] patch against 5.1p1 adding the SetupCommand config option This bug report is mainly a copy from the mailinglist. See http://lists.mindrot.org/pipermail/openssh-unix-dev/2009-July/027732.html Task: ~~~~~ It is quite sometime useful to invoke a program prior to connecting to an ssh server. The most common use case will probably be port knocking. That is a small program sends certain packets to a server and the server reacts to this by unlocking the ssh port, which would be blocked otherwise to defend against brute force attacks. Another interested user is monkeysphere (currently using option 1) below). Solutions: ~~~~~~~~~~ 1) (Ab)using ProxyCommand. This is employed in some howtos on port knocking. It however has the disadvantage that TCPKeepAlive and some timeout options are no longer honoured. 2) Wrapping ssh. While this does not disable other options like above one has to create a second option parser for ssh. Furthermore configuration that belongs to ssh is now located somewhere else (not in .ssh/config). The approach may also fail when third party applications that invoke ssh reset $PATH. 3) Extending ssh itself using a new configuration item "SetupCommand": Sample Implementation: ~~~~~~~~~~~~~~~~~~~~~~ I propose adding a new configuration item "SetupCommand" for the ssh client software. It would accept a string that is treated exactly the same as LocalCommand. As with LocalCommand it should also be ignored when PermitLocalCommand is disabled. Otherwise the command should be executed right before connecting to the server. I created a patch against 5.1p1 and tested it (attached). The patch can be successfully applied to 5.6p1, too. Discussion: ~~~~~~~~~~~ After I proposed this patch on the mailinglist (see above) it was discussed briefly. I try to summarize that discussion: Damien Miller and Peter Stuge questioned the difficulties of option 2. A working implementation of that option hasn't been seen yet. Bert Wesarg mentioned his work on ControlCommand. It is slightly related to the task above. Daniel Kahn Gillmor and Jameson Rollins (both from the monkeysphere project) gave additional explanations and generally appreciated this patch. There were no further responses addressing these explanations.
I'd be interested in this, but i'm more interested in the proposed KnownHostsCommand option (#1777), specifically for host key management. One could use the proposed SetupCommand for host key management, but only by manually tweaking the known hosts file itself (which might not be at a known location unless the child processes get passed the full ssh config (see #1766)
(In reply to comment #0) > Solutions: > ~~~~~~~~~~ > 1) (Ab)using ProxyCommand. This is employed in some howtos on port > knocking. It however has the disadvantage that TCPKeepAlive and some > timeout options are no longer honoured. I don't see how using proxy command for port knocking is an abuse as TCP keep alives are usually useless.
We really don't want to add another *Command for connection setup; ProxyCommand seems completely sufficient.
closing resolved bugs as of 8.6p1 release