tramp-devel
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Using a 'bastion' - issue when providing password

From: SENESI Stéphane
Subject: Re: Using a 'bastion' - issue when providing password
Date: Wed, 8 Oct 2014 14:35:29 +0200 (CEST)
SO,

De: "Kai Großjohann" <address@hidden>
À: "SENESI Stéphane" <address@hidden>
Cc: "Michael Albinus" <address@hidden>, address@hidden
Envoyé: Mercredi 8 Octobre 2014 12:54:20
Objet: Re: Using a 'bastion' - issue when providing password

That's interesting. In the telnet case, the authentication fails: it asks you for a password. So it could be related to agent forwarding.

Hm. Telnet case? From a telnet buffer inside Emacs? That sounds weird: did you telnet to localhost?

yes

Then you'd lose all your environment, including the connection to the ssh agent.

should I 'eval $(ssh-agent)'  or something similar ?

What happens when you do it from a shell buffer (M-x shell)?

The same

But actually, that's not the comparison I was looking for. Suppose you have

HostName rt
    ProxyCommand ssh -vvv bel address@hidden

and you are saying that "ssh rt" hangs but "ssh -vvv bel address@hidden" works. Then I was thinking perhaps it's possible to compare the output of "ssh rt" with the output of "ssh -vvv bel address@hidden". (Both of them invoked outside of Emacs.)


I did that. See attachments (filenames are self-explanatory) . The main diff is at line 122 : the working case (not using 'rt') has an additional line :
    debug2: channel 0: request pty-req confirm 1

I tried adding '-t' to the ProxyCommand : the only change is that I get a message :
    Pseudo-terminal will not be allocated because stdin is not a terminal.

Following Michael's advice, I tried adding two '-t' to the ProxyCommad. W.r.t. the working case, it adds
    line 116 : debug2: fd 4 setting O_NONBLOCK
                     debug2: fd 5 setting O_NONBLOCK
    line 130 : debug1: tty_make_modes: no fd or tio
but it hangs before requesting the password

S.


And perhaps that works to figure out how to make "ssh rt" work from outside Emacs. And once that works, perhaps it also works via Tramp.

Kai

On 8 Oct 2014, at 12:15, SENESI Stéphane wrote:

Hi Kai

Answers interspersed :

----- Mail original -----

| De: "Kai Großjohann" address@hidden
| À: "SENESI Stéphane" address@hidden
| Cc: "Michael Albinus" address@hidden, address@hidden
| Envoyé: Mardi 7 Octobre 2014 21:56:39
| Objet: Re: Using a 'bastion' - issue when providing password

| I'm hoping that it can be made to work somehow, just need to figure out
| how. Get "ssh rt" working outside Emacs, then perhaps it works inside
| Emacs, too.

| You could try "ssh -vvv rt" for a start, that should show you a number
| of debug messages.
I did that. It does not work, either:
- when the ProxyCommad includes option '-t' : it ends with "Pseudo-terminal will not be allocated because stdin is not a terminal."
- when it does not : just hanging

| You could try to change the ProxyCommand to add "-vvv" to the ssh
| command in there.

| You could compare whatever you get from "ssh rt" with what you get when
| you type the proxy command manually (use the same "-vvv" in both cases).
I rather compared the outputs of "ssh -vvv" in two cases , on labeled 'working-case' in attachments where the command is issued outside of Emacs, and another called 'telnet-case', from a telnet session in Emacs. There is a significant additional block of debug info in the telnet-case, beginning after " SSH2_MSG_NEWKEYS received" . Upstream of that, there are small differences on two lines of debug info, on the first figures :
debug2: dh_gen_key: priv key bits set: 119/256 (working case shows : 138/256)
debug2: bits set: 1013/2048 (working case shows : 1040/2048)

Are you able to interpret that (or other details in the attachments) ?

Best regards, and , again, thanks

S

| Am I making sense? Does this explain the approach I'm thinking about?

| Kai

| On 7 Oct 2014, at 11:02, SENESI Stéphane wrote:

| > Hello Kai
| >
| > Thanks for the hint but it does not work : after configuring that
| > entry with the suggested ProxyCommand, invoking "ssh rt" just hangs
| > (even outside of Emacs).
| >
| > And, also, in the former setting, changing the value of
| > tramp-local-end-of-line from Ctrl-J to Ctrl-M did not succeed either.
| >
| > I had my network people here issue a ticket to the bastion
| > manufacturer user support, but am not fully optimistic about getting a
| > workable reply ...
| >
| > So any further idea is still welcome...
| >
| > Regards
| >
| > S
| >
| > ----- Mail original -----
| >
| > | De: "Kai Großjohann" address@hidden
| > | À: "SENESI Stéphane" address@hidden
| > | Cc: "Michael Albinus" address@hidden, address@hidden
| > | Envoyé: Lundi 6 Octobre 2014 23:50:17
| > | Objet: Re: Using a 'bastion' - issue when providing password
| >
| > | I think Michael meant that you create an additional ~/.ssh/config
| > entry
| > | beyond the "bel" one that you've got already.
| >
| > | If I recall correctly, you had to do ssh -t bel address@hidden , and
| > bel was an
| > | entry in ~/.ssh/config .
| >
| > | So: create a new entry "rt" in ~/.ssh/config that does ssh -t bel
| > address@hidden
| > | behind the scenes :-)
| >
| > | How to do that? Hmmm.
| > | Host rt
| > | ProxyCommand ssh -t bel address@hidden
| >
| > | Maybe that works, I'm not sure.
| >
| > | Kai
| >
| > | On 3 Oct 2014, at 15:50, SENESI Stéphane wrote:
| > | | Hi Michael
| > |
| >
| > | | Thanks for taking time for user support during your vacation !!
| > |
| > | | Three remarks :
| > |
| >
| > | | ----- Mail original -----
| > |
| >
| > | | | De: "Michael Albinus" address@hidden
| > |
| > | | | À: "SENESI Stéphane" address@hidden
| > |
| > | | | Cc: address@hidden
| > |
| > | | | Envoyé: Vendredi 3 Octobre 2014 13:39:20
| > |
| > | | | Objet: Re: Using a 'bastion' - issue when providing password
| > |
| >
| > | | | Hi Stéphane,
| > |
| >
| > | | | I am on vacations just now (btw, in France :-)
| > |
| > | | Enjoy ! but mind that weather will become rainy from Sunday for
| > most parts
| > | | of
| > | | France
| > |
| >
| > | | | so I cannot check in detail until I return. For the time being
| > you might
| > | | | try
| > |
| > | | | to add an entry to ~/.ssh/config for your bastion host, which
| > fires the
| > |
| > | | | needed command.
| > |
| > | | As far as I understand, these bastion won't accept the user to
| > isseu
| > | | command,
| > | | either directly or not, but only react to one of the two options I
| > quoted
| > | | (providing address@hidden on first ssh command, or choosing an entry in
| > a
| > | | address@hidden's list
| > |
| >
| > | | | Furthermore, there is a variable tramp-password-end-of-line (or
| > so),
| > | | | maybe
| > |
| > | | | you could tweak it somehow.
| > |
| > | | Do you refer to :
| > |
| > | | ....
| > |
| > | | (process-send-string
| > |
| > | | proc (concat (tramp-read-passwd proc) tramp-local-end-of-line))
| > |
| > | | If yes, my value for tramp-local-end-of-line is C-j, which seems
| > sensible
| > | | .... If not, where is the best place to change it ?
| > |
| >
| > | | Best regards
| > |
| >
| > | | S
| > |
| >
| > | | | Best regards, Michael.
| > |
| > | | --
| > |
| > | | ----- Météo-France -----
| > |
| > | | SENESI STEPHANE
| > |
| > | | CNRM/GMGEC/ASTER
| > |
| > | | address@hidden
| > |
| > | | Fixe : +33 561079931
| > |
| >
| > | | Tramp-devel mailing list
| > |
| > | | address@hidden
| > |
| > | | https://lists.gnu.org/mailman/listinfo/tramp-devel
| > |
| >
| > --
| > ----- Météo-France -----
| > SENESI STEPHANE
| > CNRM/GMGEC/ASTER
| > address@hidden
| > Fixe : +33 561079931

--
----- Météo-France -----
SENESI STEPHANE
CNRM/GMGEC/ASTER
address@hidden
Fixe : +33 561079931

[working-case]

[telnet-case]




--
----- Météo-France -----
SENESI STEPHANE
CNRM/GMGEC/ASTER
address@hidden
Fixe : +33 561079931
reply via email to
[Prev in Thread] Current Thread [Next in Thread]