Bug 3369 - Local script, invoked via "Match ... exec <script>" is disconnected from stdin/stdout
Summary: Local script, invoked via "Match ... exec <script>" is disconnected from stdi...
Status: CLOSED INVALID
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 7.6p1
Hardware: Other Linux
: P5 normal
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2021-11-26 08:14 AEDT by Carl Ponder
Modified: 2022-02-25 13:56 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Carl Ponder 2021-11-26 08:14:44 AEDT 
For some context, here's my use-case:

I have an authentication_script that generates a temporary certificate to log onto a remote system.
I want to call this automatically when I try to connect, *IF* the certificate has expired.
Here's the entry I use in my ~/.ssh/config to make this happen:

      Match originalhost remote.site exec "test $(file.age %%h ~/.ssh/SITE/certificate) -gt 24" exec "gnome-terminal -- ~/.ssh/SITE/authentication_script -o ~/.ssh/SITE/certificate"

This is a bit of a hack in that it runs the script inside a new terminal-window.
I don't think I should have to do this, I'd like the password prompt to come out after the command-line in the same session, analogous to what I'd get when ssh asks for the password.
If I just try to execute the utility

     exec "~/.ssh/SITE/authentication_script -o ~/.ssh/SITE/certificate"

though, I get these error-messages:

     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     authentication_script: The sshproxy server said: Authentication failed. Failed login: myname: 
     authentication_script: This usually means you did not enter the correct password or OTP: 
     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     stty: 'standard input': Inappropriate ioctl for device
     authentication_script: The sshproxy server said: Authentication failed. Failed login: myname: 
     authentication_script: This usually means you did not enter the correct password or OTP: 
     stty: 'standard input': Inappropriate ioctl for device

My understanding is that the stdin & stdout have been severed from the exec-shell where the utility is executed.
Comment 1 Carl Ponder 2021-11-26 08:17:42 AEDT 
If cutting-off stdin/stdout is done by design, what is the motive for it?
An enhancement-request would to to enable this in the

     /etc/ssh/ssh_config

with something like

     EnableSubshellIO   yes
Comment 2 Carl Ponder 2021-11-26 22:35:49 AEDT 
I've found a suitable workaround for this, by detecting the PTY and re-directing the input/output to use it:

     PTY=$(ps --no-headers $$ | xargs index 2)
     printf "Enter the password: " > /dev/$PTY
     read -r -s pw < /dev/$PTY

You're welcome to close this as "not a bug" or re-set it to be an "enhancement request". But I'm still curious why the stdin/stdout are disabled.
Comment 3 Darren Tucker 2021-11-28 18:29:00 AEDT 
(In reply to Carl Ponder from comment #2)
[...]
>      PTY=$(ps --no-headers $$ | xargs index 2)
>      printf "Enter the password: " > /dev/$PTY
>      read -r -s pw < /dev/$PTY

You should be able to use /dev/tty to interact with the controlling terminal (when ssh has one).

> But I'm still curious why the stdin/stdout are disabled.

Polluting stdin and stdout like that and make ssh useless for shell pipelines or anything that uses ssh as a transport (eg sftp, scp, rsync, git).

Anyway, this is working as intended so closing this bug.
Comment 4 Damien Miller 2022-02-25 13:56:44 AEDT 
closing bugs resolved before openssh-8.9