Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Out-of-band data + SSH Agent forwarding (Take 2) #583

Closed
wants to merge 1 commit into from
Closed

Out-of-band data + SSH Agent forwarding (Take 2) #583

wants to merge 1 commit into from

Conversation

kevinr
Copy link

@kevinr kevinr commented Feb 7, 2015

I've cleaned up the compiler warnings in Timo Rinne's [ssh-agent-forwarding branch](https://github.com/rinne/mosh/tree/ssh-agent-forwarding branch) from pull request #423, to address issue #120, and squashed the change down into a single commit. (It looks like you weren't configuring with --enable-compile-warnings=error, Timo, which the README recommends for distributors, and otherwise the Make output suppresses warnings.)

In my limited testing on Ubuntu Trusty, the patch works as advertised.

I'd love to see this merged to master.

void notify_eof(uint64_t agent_id);
AgentConnection *get_session();

ProxyAgent(const ProxyAgent&); // unimplemented
Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

are those two still unimplemented?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yes -- the copy constructor and operator= method aren't used, but the class has pointer members so leaving these methods undefined produces a warning. Defining them as private but not specifying them quiets the warning and results in a link error if someone tries to use them anywhere.

Copy link

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

mkay :) running out of C++ knowledge here :D

@luto
Copy link

luto commented Feb 7, 2015

Thanks for the work! 👍
Even though I'm neither a C++ programmer nor a mosh maintainer, I've added some comments to help @keithw out a bit :P

@kevinr
Copy link
Author

kevinr commented Feb 7, 2015

Thanks @luto !

I'm sorry @rinne, I didn't manage to tag you when I created this pull request. I cleaned up the compiler warnings from your branch and squashed the commits down.

@rinne
Copy link
Contributor

rinne commented Feb 10, 2015

@kevinr No problem. I'm just glad someone is willing to catch that, since I really don't have time for it and it has passed the magical "works for me" -level.

Pluggable out-of-band communication mechanism over Mosh transport
layer and SSH agent forwarding support on top of the out-of-band mechanism
@Kriechi
Copy link

Kriechi commented Feb 17, 2015

👍
works for me on OS X 10.9 client with Debian 7.8 as server.

@Dorthu
Copy link

Dorthu commented Feb 19, 2015

👍 Working on OSX/Debian 7

@moltar
Copy link

moltar commented Feb 26, 2015

yay.

@toresbe
Copy link

toresbe commented Mar 5, 2015

Awesome! Thanks. This makes my day so much easier when maintaining servers on the other side of the planet. Confirmed working on Debian 8 going to FreeBSD.

@jravetch
Copy link

👍

@nathanlburns
Copy link

Is there any update here? Additional testing needed?

@Mic92
Copy link

Mic92 commented Apr 29, 2015

Thanks for this feature. For those on archlinux I have upload the package mosh-sshagent-git in the AUR based on the kevinr:kevinr-ssh-agent-forwarding branch.

@PAStheLoD
Copy link

Hello,

You might be interested in knowing, that there is a problem with compiling this with g++ 4.9.

g++ -DHAVE_CONFIG_H -I. -I../..  -I./../util -I./../crypto -I../protobufs -pthread   -Wall -Werror -Wextra -pedantic -Wno-long-long -Weffc++ -fno-strict-overflow -D_FORTIFY_SOURCE=2 -fstack-protector-all -Wstack-protector --param ssp-buffer-size=1 -fPIE -fno-default-inline -pipe -g -O2 -c -o networktransport.o networktransport.cc
In file included from transportsender.h:45:0,
                 from networktransport.h:43,
                 from networktransport.cc:35:
outofband.h:118:9: error: 'class Network::OutOfBandPlugin' has virtual functions and accessible non-virtual destructor [-Werror=non-virtual-dtor]
   class OutOfBandPlugin
         ^
cc1plus: all warnings being treated as errors

Interestingly g++ 4.8 works fine.

@glensc
Copy link

glensc commented May 2, 2015

the warning can be made non-fatal for now: -Wno-error=non-virtual-dtor

@MacGyverNL
Copy link

I've started using gpg-agent-forwarding through the SSH-mechanism for arbitrary Unix Domain socket forwarding (ssh -R /home/remoteuser/.gnupg/S.gpg-agent /home/localuser/.gnupg/S.forwarded-agent, recent addition to OpenSSH). I have not looked at the code in OpenSSH used to do this, but looking at the patches for SSH-agent-forwarding it seems to me that support for forwarding arbitrary Unix Domain sockets should not be too different from what's here now. Would this be an interesting thing to add?

@rinne
Copy link
Contributor

rinne commented Jun 3, 2015

The current implementation of agent forwarding actually parses the content of the stream so that it parses and sanity checks protocol packet length and separates the packets from each other (does not care about packet contents). This is done in order to keep the flow control issues in minimum. Adding specific gpg agent forwarding would probably be quite easy and it could borrow most of the ssh agent forwarding code and run over the out-of-band transport like it. But adding a generic forwarding with full socket flow control would be much bigger effort.

@glensc
Copy link

glensc commented Jun 9, 2015

@kevinr would you mind rebasing it to current master? so could build this patch against 1.2.4.95rc1 pre-release

return;
}
if (server) {
PRNG prng;
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This really is close to being a bikeshed...but I have to agree that mkdtemp() is a better thing to do here. Your code looks OK, but the people who write libc code have thought longer and harder on this topic than you or I have.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is pretty much a non-issue, but I have a recollection that there really is a valid reason not to use library function here. Also this is really simple stuff.

@cgull
Copy link
Member

cgull commented Jun 28, 2015

I finally looked at this code a couple of days ago. The larger question of whether the Mosh project wants to add this sort of functionality is still there, but I thought I should at least review the code and see how it looks.

@kevinr, @rinne: I reviewed this pull request because it was conveniently lumped together in one diff. But the Mosh project prefers a clean Git history: we want to see changes better broken down into more discrete, incremental pieces of work, commits that reflect the initial development process and wouldn't be relevant once brought into the Mosh repo (bug fixes, implementation changes, etc) should be squashed, and in general the commits should tell a clear, readable, reviewable story of how you got from there to here. I didn't look quite closely enough, but I think having everything squashed down into one commit is a better place to start than @rinne's original commits, which have one large commit containing most of the agent-forwarding work (and the MOSH_ESCAPE_KEY feature too) and then a series of bug fixes following from there. It's not immediately clear to me how you'd break this into incremental pieces of work (which does say something about how tied the various parts are to each other).

But it mostly looks pretty good to me. The biggest issue that I see is that it integrates awkwardly with Mosh's (imperfect) event handling, and has a couple of problems with blocking I/O. Everything I noticed is quite fixable, though.

The network stack here is fairly simple (which I think is appropriate). It has what's needed for agent forwarding. But its reliable stream implementation is very simple, it's synchronous and unbuffered. Those of you hoping that this code could bring port forwarding, X11 forwarding, and other higher-performance things like that...this isn't ready for that.

@rinne
Copy link
Contributor

rinne commented Jul 2, 2015

@cgull Thanks for going through the stuff.

I merged the forwarding branch with original commit history to current upstream master. The resulting branch is ssh-agent-forwarding-ng in https://github.com/rinne/mosh/

The agent work has two main commits. One being the oob layer and another being the agent forwarding on top of that. Probably with some of the history might benefit from rebasing, but I don't think I have time nor energy for that. If someone can spare the time, please do.

What you said about OOB not being ready for generic stream forwarding, I fully agree. Generic streaming actually sets quite a few requirements to intra-protocol flow control and congestion detection (flow control must be fully implemented for each forwarded stream, not just the protocol connection itself). Also for it to have a decent performance, it needs to have some kind of self adjusting windowing etc also in protocol level. I remember all this being such a pain for ssh development, that I feel pretty strongly that implementing generic stream forwarding to mosh would be much more work than it's worth. And even with someone willing to invest the effort, it would have stability issues and even possible security implications that would take a huge effort to solve. I just don't think it's worth it.

However, it was practically free to implement OOB so that it has separate modes (unreliable datagram mode, reliable datagram mode, reliable stream mode) at least in API level. It should more or less work in either mode, but agent connection is forwarded using reliable datagram mode (one agent protocol packet per datagram) simply in order to avoid inherent problems of generic streaming. It does however mean, that agent protocol packets have to be parsed in mosh-server just enough to read their length and the corresponding payload.

As I said earlier, I feel quite comfortable with current "works for me" -level of mosh agent forwarding implementation. It's not just hacked together up to the point it's somewhat usable, but as far as I can see, it doesn't have any obvious problems and also the way it's hooked into mosh has been at least somewhat designed and not just somehow scotchtaped together. I'm sure that could have been done also in another way, but at least I'm not going to re-implement that. I think it's useful functionality and use it myself every single day, so in one form or another, I hope it makes its way to mosh upstream.

@Kriechi
Copy link

Kriechi commented Oct 28, 2015

@kevinr if this PR is still considered active, would you mind rebasing and including recent changes from master? Thanks.

@rinne
Copy link
Contributor

rinne commented Nov 28, 2015

I merged OOB + agent forwarding on top of current master and did another PR #696.

@cgull
Copy link
Member

cgull commented May 25, 2016

I'd like to consider this for Mosh 1.3, after we release 1.2.6. I've started a discussion on the mosh-devel mailing list; if you're interested please comment there.

@OneOfOne
Copy link

OneOfOne commented Jun 2, 2016

This is very important for us with crappy connections that need to transfer files over ssh.

@andersk
Copy link
Member

andersk commented Jun 3, 2016

@OneOfOne: File transfer is outside the scope of this patch (and probably of Mosh, for the foreseeable future).

@kevinr
Copy link
Author

kevinr commented Jun 3, 2016

@cgull I'd love to get it merged in 1.3. I don't see your thread on the mosh-devel list, though.

@andersk
Copy link
Member

andersk commented Jun 3, 2016

@cgull
Copy link
Member

cgull commented Jun 4, 2016

@kevinr: I got a bounce from Gmail when I sent to mosh-devel, which I think is related to recent DMARC changes they've made, which I believe will cause some mailing list mail (including from my domain) to bounce. If you're using Gmail that's probably why you didn't see it.

@ErwanAliasr1
Copy link

Any chance to get that feature in ?

@rinne
Copy link
Contributor

rinne commented Jan 13, 2017

@ErwanAliasr1 See #696 instead. This one should be closed anyways.

@kevinr kevinr closed this Feb 27, 2017
@jspraul
Copy link

jspraul commented Feb 11, 2022

@ErwanAliasr1 See #696 instead. This one should be closed anyways.

To be clear to passers-by like me who might otherwise get excited: @andersk explained #696 only covers only SSH agent forwarding (and has been merged 🎉), not all out-of-band data (port forwarding).

It's unfortunate that half of this was dropped, it's probably a lot of work now to fit the pieces into the latest code. Is it possible that's what's happening on this fork by @rinne?

@Mic92
Copy link

Mic92 commented Feb 11, 2022

I also have some goodies merged in here. https://github.com/Mic92/mosh/commits/agent-forwarding
I rebase this fork every once in a while

@rinne
Copy link
Contributor

rinne commented Feb 11, 2022

@ErwanAliasr1 See #696 instead. This one should be closed anyways.

To be clear to passers-by like me who might otherwise get excited: @andersk explained #696 only covers only SSH agent forwarding (and has been merged 🎉), not all out-of-band data (port forwarding).

It's unfortunate that half of this was dropped, it's probably a lot of work now to fit the pieces into the latest code. Is it possible that's what's happening on this fork by @rinne?

Hi. Actually none of that has been merged to upstream. #696 is just another thread of the same thing because of something I don't remember any longer. Anyways, there OOB data is not port forwarding as such, but it's just a protocol level extension that could be used in port forwarding like it's now used with agent forwarding. Anyways, none of these have made itself into upstream. I merge the upstream master to agent enabled branch (see #696) usually when I have to compile Mosh for myself, which happens maybe every few months or so.

@rinne
Copy link
Contributor

rinne commented Feb 11, 2022

And OOB stuff as it is now isn't really suitable for generic port forwarding. It lacks flow control and should there be a connection in which the reader side is blocking and producer side keeps writing, it simply closes the connection.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.