An interesting bit of ssh and sshd behavior

May 24, 2009

We have a ssh keypair that's used to let an automated script have very limited access to a remote system. As usual, we set up a whole host of restrictions in the target account's authorized_keys; we force a specific command, we only accept the key from the host we expect it from, and we specify the whole raft of no-* options, including no-pty. The command that gets forced for this particular keypair reads various things that it needs from standard input (ie, the script).

Recently, we wound up doing plain 'ssh login@host' as part of trying to debug a problem. My expectation was that this would behave just like the normal 'ssh login@host nominal-command' (since the command was being forced on the remote end anyways). Instead, what happened was that the connection stalled, (apparently) doing nothing; you would type at it and nothing happened. In fact, nothing even appeared (your typing wasn't echoed).

What turned out to be happening is this: ssh doesn't notice if the remote end refuses to create a pty. Instead it carries on exactly as if it was talking to a pty, so it puts the local terminal into raw mode and then sends your untranslated input to the other end (character by character). And plain 'ssh login@host' tries to do a login session, which asks for a pty, while the remote end refused to set up a pty and forced the command (instead of running any sort of shell).

When this happens, you get no visible output from your typing because ssh leaves it up to the remote end to do that in pty mode. Also, you generally get no visible reaction to what you've entered because when you hit 'return', ssh sent the raw return (as a \r), instead of the cooked newline (\n) that the other end is looking for. So in our case, the remote command thought that we were just typing a really, really long single line of input that we hadn't finished yet.

(Trivia: if you ever want to see if this is happening to you, type a Control-J; this sends \n directly. This is also useful to know if your terminal winds up in raw mode because a program crashed.)

Written on 24 May 2009.
« What modern email is good for
Backups versus redundancy »

Page tools: View Source, Add Comment.
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Sun May 24 23:08:27 2009
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.