LWN: Comments on "OpenSSH 8.1 released"

OpenSSH 8.1 released

toymachine — Fri, 11 Oct 2019 14:00:23 +0000

Thanks for the heads up! Time to upgrade!

OpenSSH 8.1 released

nybble41 — Fri, 11 Oct 2019 06:35:25 +0000

(
  socket=/tmp/stdio-$$-$RANDOM;
  socat -t1000 UNIX-LISTEN:$socket - &
  exec <>/dev/null 1>&0 2>&0;
  ssh -R $socket:$socket remotehost -t -- bash -c \
    "'trap \"rm -f $socket\" EXIT; GPG_TTY=\$(tty) socat -t1000 UNIX-CONNECT:$socket EXEC:\"gpg --clearsign\",nofork'" \
    0<>/dev/tty 1>&0 2>&0;
) <file >file.asc

OK, not the prettiest bit of shell-code ever, but it gets the job done. The remote GPG has its pseudo-terminal to prompt for the passphrase, connected to /dev/tty on the client, and the original stdin and stdout are forwarded separately via a bidirectional Unix-domain socket.

OpenSSH 8.1 released

wahern — Fri, 11 Oct 2019 02:09:20 +0000

I'm going to go out on a limb here and guess that the issue is that GPG will want to prompt for a password to decrypt the signing key, but because stdin is the input to be signed, and there are no other input channels available, it has no way of reading the password. Normally the password would be read from /dev/tty, bypassing stdin, but on a remote ssh session those effectively reference the same SSH protocol channel. I can't figure out what any of that has to do with stderr, other than perhaps GnuPG might write the prompt to stderr instead of /dev/tty, which might be less convenient if you'd like to separate the prompt from diagnostic messages.

OpenSSH 8.1 released

wahern — Fri, 11 Oct 2019 01:43:45 +0000

What does that have to do with TTYs and stderr?


$ echo foo | ssh somehost tee /dev/stderr >/tmp/foo.stdout 2>/tmp/foo.stderr
$ cat /tmp/foo.stdout                                                  ~
foo
$ cat /tmp/foo.stderr                                                  ~
foo

OpenSSH 8.1 released

mirabilos — Thu, 10 Oct 2019 13:53:30 +0000

Perhaps this representation is more easily understandable:

cat file | ssh remotehost gpg --clearsign | cat >file.asc

Basically, I’m taking a local file, sending it over ssh to remotehost to sign, and save the result in another local file.

OpenSSH 8.1 released

XTerminator — Thu, 10 Oct 2019 12:29:47 +0000

ok what's that supposed to do in English? You're fetching a file over ssh and sign it via gpg?

OpenSSH 8.1 released

mirabilos — Thu, 10 Oct 2019 11:24:14 +0000

<file ssh remotehost gpg --clearsign >file.asc

OpenSSH 8.1 released

XTerminator — Thu, 10 Oct 2019 11:03:49 +0000

in what context could this be useful?

OpenSSH 8.1 released

mirabilos — Wed, 09 Oct 2019 21:07:40 +0000

Now if ssh(1) would just consider that fd 2 could also carry a TTY reference, or even allow one to be passed on fd 3…