rsync through multiple ssh hops with password
authentication prompt
Matt McCutchen
hashproduct at verizon.net
Fri Oct 21 15:22:35 GMT 2005
On Fri, 2005-10-21 at 10:04 -0400, Matt McCutchen wrote:
> ~/.ssh/config:
> Host target
> ProxyCommand ssh middle nc %h %p
Apparently, ssh uses a SIGHUP to tell the ProxyCommand that it is
finished with the connection. If nc is used as the proxy, it
understands the SIGHUP as a request to exit and all is well. However,
under the arrangement above, the SIGHUP goes to the ssh maintaining the
tunnel, which noisily dies, leaving the nc running on the middle
machine!
I came upon this article on the Internet that recommended the same
technique of using a combination of ssh and nc as a ProxyCommand:
http://www.hackinglinuxexposed.com/articles/20040830.html
The article says to provide the "-w 1" option to nc, which, according to
them, makes it exit a second after the connection is "dead". According
to the man page, however, "-w 1" causes nc to quit if the connection
is /idle/ for one second; furthermore, I don't see how the original ssh
would signal to the ProxyCommand that the connection is "dead" if all it
has is a pair of streams. Nonetheless, passing "-w 1" to nc does the
right thing: nc quits soon after I log out of the original SSH session
but keeps running if I don't type anything for a second. This is very
nice; could someone shed some light on why it works?
Since nc seems to know when to quit, one can just block the SIGHUP
coming from the original ssh to the tunnel ssh. So I recommend this
setup:
~/.ssh/config:
Host target
ProxyCommand nohup ssh middle nc -w 1 %h %p
When one logs out of target, the original ssh sends its SIGHUP (which is
ignored) and quits immediately, returning one to the command prompt.
The tunnel ssh continues running in the background. A few seconds
later, the tunnel nc decides to quit, and the tunnel ssh, seeing that
its command has quit, quits as well.
This setup seems to work well--perhaps it could be added to the rsync
FAQ page as Method 2b. The only annoyance is that one might still get
two indistinguishable "Password:" prompts; could someone tell me how to
configure SSH so the prompt reveals the target username at host?
--
Matt McCutchen, ``hashproduct''
hashproduct at verizon.net -- http://mysite.verizon.net/hashproduct/
More information about the rsync
mailing list