- djm@cvs.openbsd.org 2008/07/02 13:47:39

     [ssh.1 ssh.c]
     When forking after authentication ("ssh -f") with ExitOnForwardFailure
     enabled, delay the fork until after replies for any -R forwards have
     been seen. Allows for robust detection of -R forward failure when
     using -f (similar to bz#92); ok dtucker@

3 files changed, 39 insertions, 9 deletions

diff --git a/ChangeLog b/ChangeLog
index 6f69442f4..c35092898 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -3,6 +3,12 @@
    - djm@cvs.openbsd.org 2008/07/02 13:30:34
      [auth2.c]
      really really remove the freebie "none" auth try for protocol 2
+   - djm@cvs.openbsd.org 2008/07/02 13:47:39
+     [ssh.1 ssh.c]
+     When forking after authentication ("ssh -f") with ExitOnForwardFailure
+     enabled, delay the fork until after replies for any -R forwards have
+     been seen. Allows for robust detection of -R forward failure when
+     using -f (similar to bz#92); ok dtucker@
 
 20080702
  - (dtucker) OpenBSD CVS Sync
@@ -4538,4 +4544,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5049 2008/07/04 02:53:23 dtucker Exp $
+$Id: ChangeLog,v 1.5050 2008/07/04 02:53:50 dtucker Exp $
diff --git a/ssh.1 b/ssh.1
index a58f5a02a..1883578f2 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.276 2008/06/26 21:11:46 jmc Exp $
-.Dd $Mdocdate: June 26 2008 $
+.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -290,6 +290,15 @@ This implies
 The recommended way to start X11 programs at a remote site is with
 something like
 .Ic ssh -f host xterm .
+.Pp
+If the
+.Cm ExitOnForwardFailure
+configuration option is set to
+.Dq yes ,
+then a client started with
+.Fl f
+will wait for all remote port forwards to be successfully established
+before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
 .It Fl I Ar smartcard_device
diff --git a/ssh.c b/ssh.c
index c15a1e483..e2dd67d68 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.317 2008/06/12 16:35:31 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.318 2008/07/02 13:47:39 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -860,9 +860,15 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
                         logit("Warning: remote port forwarding failed for "
                             "listen port %d", rfwd->listen_port);
         }
-        if (++remote_forward_confirms_received == options.num_remote_forwards)
+        if (++remote_forward_confirms_received == options.num_remote_forwards) {
                 debug("All remote forwarding requests processed");
-                /* XXX fork-after-authentication */
+                if (fork_after_authentication_flag) {
+                        fork_after_authentication_flag = 0;
+                        if (daemon(1, 1) < 0)
+                                fatal("daemon() failed: %.200s",
+                                    strerror(errno));
+                }
+        }
 }
 
 static void
@@ -1062,10 +1068,17 @@ ssh_session(void)
             options.permit_local_command)
                 ssh_local_cmd(options.local_command);
 
-        /* If requested, let ssh continue in the background. */
-        if (fork_after_authentication_flag)
+        /*
+         * If requested and we are not interested in replies to remote
+         * forwarding requests, then let ssh continue in the background.
+         */
+        if (fork_after_authentication_flag &&
+            (!options.exit_on_forward_failure ||
+            options.num_remote_forwards == 0)) {
+                fork_after_authentication_flag = 0;
                 if (daemon(1, 1) < 0)
                         fatal("daemon() failed: %.200s", strerror(errno));
+        }
 
         /*
          * If a command was specified on the command line, execute the
@@ -1204,9 +1217,11 @@ ssh_session2(void)
         muxserver_listen();
 
         /* If requested, let ssh continue in the background. */
-        if (fork_after_authentication_flag)
+        if (fork_after_authentication_flag) {
+                fork_after_authentication_flag = 0;
                 if (daemon(1, 1) < 0)
                         fatal("daemon() failed: %.200s", strerror(errno));
+        }
 
         return client_loop(tty_flag, tty_flag ?
             options.escape_char : SSH_ESCAPECHAR_NONE, id);