summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorbluhm@openbsd.org <bluhm@openbsd.org>2017-05-30 18:58:37 +0000
committerDamien Miller <djm@mindrot.org>2017-05-31 10:51:09 +1000
commit1112b534a6a7a07190e497e6bf86b0d5c5fb02dc (patch)
treead8c53c5857fe2290828b378b8c4cb8aff27fefe
parenteb272ea4099fd6157846f15c129ac5727933aa69 (diff)
upstream commit
Add RemoteCommand option to specify a command in the ssh config file instead of giving it on the client's command line. This command will be executed on the remote host. The feature allows to automate tasks using ssh config. OK markus@ Upstream-ID: 5d982fc17adea373a9c68cae1021ce0a0904a5ee
-rw-r--r--readconf.c13
-rw-r--r--readconf.h3
-rw-r--r--ssh.15
-rw-r--r--ssh.c40
-rw-r--r--ssh_config.512
5 files changed, 58 insertions, 15 deletions
diff --git a/readconf.c b/readconf.c
index 4be5327a..b11c628f 100644
--- a/readconf.c
+++ b/readconf.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.c,v 1.276 2017/05/20 02:35:47 djm Exp $ */
+/* $OpenBSD: readconf.c,v 1.277 2017/05/30 18:58:37 bluhm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -163,7 +163,8 @@ typedef enum {
oServerAliveInterval, oServerAliveCountMax, oIdentitiesOnly,
oSendEnv, oControlPath, oControlMaster, oControlPersist,
oHashKnownHosts,
- oTunnel, oTunnelDevice, oLocalCommand, oPermitLocalCommand,
+ oTunnel, oTunnelDevice,
+ oLocalCommand, oPermitLocalCommand, oRemoteCommand,
oVisualHostKey,
oKexAlgorithms, oIPQoS, oRequestTTY, oIgnoreUnknown, oProxyUseFdpass,
oCanonicalDomains, oCanonicalizeHostname, oCanonicalizeMaxDots,
@@ -284,6 +285,7 @@ static struct {
{ "tunneldevice", oTunnelDevice },
{ "localcommand", oLocalCommand },
{ "permitlocalcommand", oPermitLocalCommand },
+ { "remotecommand", oRemoteCommand },
{ "visualhostkey", oVisualHostKey },
{ "kexalgorithms", oKexAlgorithms },
{ "ipqos", oIPQoS },
@@ -1440,6 +1442,10 @@ parse_keytypes:
intptr = &options->permit_local_command;
goto parse_flag;
+ case oRemoteCommand:
+ charptr = &options->remote_command;
+ goto parse_command;
+
case oVisualHostKey:
intptr = &options->visual_host_key;
goto parse_flag;
@@ -1828,6 +1834,7 @@ initialize_options(Options * options)
options->tun_remote = -1;
options->local_command = NULL;
options->permit_local_command = -1;
+ options->remote_command = NULL;
options->add_keys_to_agent = -1;
options->identity_agent = NULL;
options->visual_host_key = -1;
@@ -2032,6 +2039,7 @@ fill_default_options(Options * options)
} \
} while(0)
CLEAR_ON_NONE(options->local_command);
+ CLEAR_ON_NONE(options->remote_command);
CLEAR_ON_NONE(options->proxy_command);
CLEAR_ON_NONE(options->control_path);
CLEAR_ON_NONE(options->revoked_host_keys);
@@ -2509,6 +2517,7 @@ dump_client_config(Options *o, const char *host)
dump_cfg_string(oKbdInteractiveDevices, o->kbd_interactive_devices);
dump_cfg_string(oKexAlgorithms, o->kex_algorithms ? o->kex_algorithms : KEX_CLIENT_KEX);
dump_cfg_string(oLocalCommand, o->local_command);
+ dump_cfg_string(oRemoteCommand, o->remote_command);
dump_cfg_string(oLogLevel, log_level_name(o->log_level));
dump_cfg_string(oMacs, o->macs ? o->macs : KEX_CLIENT_MAC);
#ifdef ENABLE_PKCS11
diff --git a/readconf.h b/readconf.h
index f47f5340..94dd427f 100644
--- a/readconf.h
+++ b/readconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: readconf.h,v 1.121 2017/04/30 23:18:22 djm Exp $ */
+/* $OpenBSD: readconf.h,v 1.122 2017/05/30 18:58:37 bluhm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -134,6 +134,7 @@ typedef struct {
char *local_command;
int permit_local_command;
+ char *remote_command;
int visual_host_key;
int request_tty;
diff --git a/ssh.1 b/ssh.1
index 10633d92..47cd0211 100644
--- a/ssh.1
+++ b/ssh.1
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.381 2017/05/05 10:41:58 naddy Exp $
-.Dd $Mdocdate: May 5 2017 $
+.\" $OpenBSD: ssh.1,v 1.382 2017/05/30 18:58:37 bluhm Exp $
+.Dd $Mdocdate: May 30 2017 $
.Dt SSH 1
.Os
.Sh NAME
@@ -518,6 +518,7 @@ For full details of the options listed below, and their possible values, see
.It PubkeyAcceptedKeyTypes
.It PubkeyAuthentication
.It RekeyLimit
+.It RemoteCommand
.It RemoteForward
.It RequestTTY
.It SendEnv
diff --git a/ssh.c b/ssh.c
index cfd6b70e..6137fd7d 100644
--- a/ssh.c
+++ b/ssh.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.460 2017/05/30 08:52:19 markus Exp $ */
+/* $OpenBSD: ssh.c,v 1.461 2017/05/30 18:58:37 bluhm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -973,12 +973,6 @@ main(int ac, char **av)
}
}
- /* Cannot fork to background if no command. */
- if (fork_after_authentication_flag && buffer_len(&command) == 0 &&
- !no_shell_flag)
- fatal("Cannot fork into background without a command "
- "to execute.");
-
/*
* Initialize "log" output. Since we are the client all output
* goes to stderr unless otherwise specified by -y or -E.
@@ -1133,6 +1127,15 @@ main(int ac, char **av)
options.use_privileged_port = 0;
#endif
+ if (buffer_len(&command) != 0 && options.remote_command != NULL)
+ fatal("Cannot execute command-line and remote command.");
+
+ /* Cannot fork to background if no command. */
+ if (fork_after_authentication_flag && buffer_len(&command) == 0 &&
+ options.remote_command == NULL && !no_shell_flag)
+ fatal("Cannot fork into background without a command "
+ "to execute.");
+
/* reinit */
log_init(argv0, options.log_level, options.log_facility, !use_syslog);
@@ -1141,7 +1144,7 @@ main(int ac, char **av)
tty_flag = 1;
/* Allocate a tty by default if no command specified. */
- if (buffer_len(&command) == 0)
+ if (buffer_len(&command) == 0 && options.remote_command == NULL)
tty_flag = options.request_tty != REQUEST_TTY_NO;
/* Force no tty */
@@ -1197,6 +1200,27 @@ main(int ac, char **av)
free(cp);
}
+ if (options.remote_command != NULL) {
+ debug3("expanding RemoteCommand: %s", options.remote_command);
+ cp = options.remote_command;
+ options.remote_command = percent_expand(cp,
+ "C", conn_hash_hex,
+ "L", shorthost,
+ "d", pw->pw_dir,
+ "h", host,
+ "l", thishost,
+ "n", host_arg,
+ "p", portstr,
+ "r", options.user,
+ "u", pw->pw_name,
+ (char *)NULL);
+ debug3("expanded RemoteCommand: %s", options.remote_command);
+ free(cp);
+ buffer_append(&command, options.remote_command,
+ strlen(options.remote_command));
+
+ }
+
if (options.control_path != NULL) {
cp = tilde_expand_filename(options.control_path,
original_real_uid);
diff --git a/ssh_config.5 b/ssh_config.5
index db37b92c..2c9e20fe 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh_config.5,v 1.248 2017/05/07 23:12:57 djm Exp $
-.Dd $Mdocdate: May 7 2017 $
+.\" $OpenBSD: ssh_config.5,v 1.249 2017/05/30 18:58:37 bluhm Exp $
+.Dd $Mdocdate: May 30 2017 $
.Dt SSH_CONFIG 5
.Os
.Sh NAME
@@ -1287,6 +1287,14 @@ is
.Cm default none ,
which means that rekeying is performed after the cipher's default amount
of data has been sent or received and no time based rekeying is done.
+.It Cm RemoteCommand
+Specifies a command to execute on the remote machine after successfully
+connecting to the server.
+The command string extends to the end of the line, and is executed with
+the user's shell.
+The same escape character substitutions as for
+.Cm LocalCommand
+will be performed.
.It Cm RemoteForward
Specifies that a TCP port on the remote machine be forwarded over
the secure channel to the specified host and port from the local machine.