From 9a2a60986bf33414acf63b6d92d93a2f690c3a17 Mon Sep 17 00:00:00 2001 From: Darren Tucker Date: Fri, 4 Jul 2008 12:53:50 +1000 Subject: - djm@cvs.openbsd.org 2008/07/02 13:47:39 [ssh.1 ssh.c] When forking after authentication ("ssh -f") with ExitOnForwardFailure enabled, delay the fork until after replies for any -R forwards have been seen. Allows for robust detection of -R forward failure when using -f (similar to bz#92); ok dtucker@ --- ChangeLog | 8 +++++++- ssh.1 | 13 +++++++++++-- ssh.c | 27 +++++++++++++++++++++------ 3 files changed, 39 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 6f69442f4..c35092898 100644 --- a/ChangeLog +++ b/ChangeLog @@ -3,6 +3,12 @@ - djm@cvs.openbsd.org 2008/07/02 13:30:34 [auth2.c] really really remove the freebie "none" auth try for protocol 2 + - djm@cvs.openbsd.org 2008/07/02 13:47:39 + [ssh.1 ssh.c] + When forking after authentication ("ssh -f") with ExitOnForwardFailure + enabled, delay the fork until after replies for any -R forwards have + been seen. Allows for robust detection of -R forward failure when + using -f (similar to bz#92); ok dtucker@ 20080702 - (dtucker) OpenBSD CVS Sync @@ -4538,4 +4544,4 @@ OpenServer 6 and add osr5bigcrypt support so when someone migrates passwords between UnixWare and OpenServer they will still work. OK dtucker@ -$Id: ChangeLog,v 1.5049 2008/07/04 02:53:23 dtucker Exp $ +$Id: ChangeLog,v 1.5050 2008/07/04 02:53:50 dtucker Exp $ diff --git a/ssh.1 b/ssh.1 index a58f5a02a..1883578f2 100644 --- a/ssh.1 +++ b/ssh.1 @@ -34,8 +34,8 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: ssh.1,v 1.276 2008/06/26 21:11:46 jmc Exp $ -.Dd $Mdocdate: June 26 2008 $ +.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $ +.Dd $Mdocdate: July 2 2008 $ .Dt SSH 1 .Os .Sh NAME @@ -290,6 +290,15 @@ This implies The recommended way to start X11 programs at a remote site is with something like .Ic ssh -f host xterm . +.Pp +If the +.Cm ExitOnForwardFailure +configuration option is set to +.Dq yes , +then a client started with +.Fl f +will wait for all remote port forwards to be successfully established +before placing itself in the background. .It Fl g Allows remote hosts to connect to local forwarded ports. .It Fl I Ar smartcard_device diff --git a/ssh.c b/ssh.c index c15a1e483..e2dd67d68 100644 --- a/ssh.c +++ b/ssh.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssh.c,v 1.317 2008/06/12 16:35:31 dtucker Exp $ */ +/* $OpenBSD: ssh.c,v 1.318 2008/07/02 13:47:39 djm Exp $ */ /* * Author: Tatu Ylonen * Copyright (c) 1995 Tatu Ylonen , Espoo, Finland @@ -860,9 +860,15 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt) logit("Warning: remote port forwarding failed for " "listen port %d", rfwd->listen_port); } - if (++remote_forward_confirms_received == options.num_remote_forwards) + if (++remote_forward_confirms_received == options.num_remote_forwards) { debug("All remote forwarding requests processed"); - /* XXX fork-after-authentication */ + if (fork_after_authentication_flag) { + fork_after_authentication_flag = 0; + if (daemon(1, 1) < 0) + fatal("daemon() failed: %.200s", + strerror(errno)); + } + } } static void @@ -1062,10 +1068,17 @@ ssh_session(void) options.permit_local_command) ssh_local_cmd(options.local_command); - /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) + /* + * If requested and we are not interested in replies to remote + * forwarding requests, then let ssh continue in the background. + */ + if (fork_after_authentication_flag && + (!options.exit_on_forward_failure || + options.num_remote_forwards == 0)) { + fork_after_authentication_flag = 0; if (daemon(1, 1) < 0) fatal("daemon() failed: %.200s", strerror(errno)); + } /* * If a command was specified on the command line, execute the @@ -1204,9 +1217,11 @@ ssh_session2(void) muxserver_listen(); /* If requested, let ssh continue in the background. */ - if (fork_after_authentication_flag) + if (fork_after_authentication_flag) { + fork_after_authentication_flag = 0; if (daemon(1, 1) < 0) fatal("daemon() failed: %.200s", strerror(errno)); + } return client_loop(tty_flag, tty_flag ? options.escape_char : SSH_ESCAPECHAR_NONE, id); -- cgit v1.2.3