Ssh – Why not simply use %h in OpenSSH ssh’s ControlPath option

connection-sharingopensshssh

Why do the "ssh_config(5)" manpages recommend that the ControlPath option should contain at least the %h, %p and %r placeholders in order to uniquely identify each shared connection?

I thought that multiple sessions should share the same socket with a connection to the same host. Wouldn't it make sense then to have a simple definition such as:

ControlPath ~/.cache/ssh/mux/%h

Instead of something like:

ControlPath ~/.cache/ssh/mux/%r@%h:%p

In my understanding with the first definition one connection is shared between multiple sessions with different remote users, to the same remote host, on different remote ports.

I want to have the first defintion in the host default section so that it suffices to say ssh -o ControlMaster=no.

I want to share the connection to the same remote host between all sessions initiated by the same local user regardless of the remote user and remote port. The master client's socket should live beneath the local user's home directory.

Best Answer

"I thought that multiple sessions should share the same socket with a connection to the same host."

They can. However, note that if you connect to a host using an existing connection via ControlPath, regardless of which user you intend to log in as, you will be logged in as the original user of the connection. Eg., with no established connection to "somewhere":

ssh -o ControlPath=~/.ssh/%h -o ControlMaster=yes bob@somewhere

This session is bob@somewhere.

ssh -o ControlPath=~/.ssh/%h -o ControlMaster=no sue@somewhere

This session will also be bob@somewhere, because you used the same ControlPath and set ControlMaster=no; if ControlMaster=yes, you'd be logged in as sue, but ssh will have ignored your ControlPath argument, as implied in man ssh_config:

Additional sessions can connect to this socket using the same ControlPath with ControlMaster set to 'no'.

As evidence of this, if ControlMaster=yes in both cases, when bob exits the ControlPath socket ~/.ssh/somewhere will disappear even though the "sue" session is still running, meaning the sue session never used that socket.

So, if you want to use the same connection, just %h is fine, but beware that you cannot share a connection as multiple different remote users -- ssh won't let you.

Related Solutions

SSH OpenSSH – How to Start a Specific Shell and Run Commands Remotely

The most obvious way to run a command remotely is to specify it on the ssh command line. The ssh command is always interpreted by the remote user's shell.

ssh bob@example.com '. ~/.profile; command_that_needs_environment_variables'
ssh -t bob@example.com '. ~/.profile; exec zsh'

Shared accounts are generally a bad idea; if at all possible, get separate accounts for every user. If you're stuck with a shared account, you can make an alias:

ssh -t shared-account@example.com 'HOME=~/bob; . ~/.profile; exec zsh'

If you use public key authentication (again, recommended), you can define per-key commands in ~/.ssh/authorized_keys. See this answer for more explanations. Edit the line for your key in ~/.ssh/authorized_keys on the server (all on one line):

command="HOME=$HOME/bob;
     if [ -n \"$SSH_ORIGINAL_COMMAND\" ]; then
       eval \"$SSH_ORIGINAL_COMMAND\";
     else exec \"$SHELL\"; fi" ssh-rsa AAAA…== bob@some.where

Ssh – How to make SSH’s `ControlPath` distinguish between IPv4 and IPv6

This is not typical use case so there is no direct way of doing so. But, you can workaround this using user configuration file as such, if you don't require too many remote hosts:

Host hostname-4
    Hostname hostname
    AddressFamily inet
    ControlPath ~/.ssh/master4-%l%h%p%r
Host hostname-6
    Hostname hostname
    AddressFamily inet6
    ControlPath ~/.ssh/master6-%l%h%p%r

Best Answer

Related Solutions

SSH OpenSSH – How to Start a Specific Shell and Run Commands Remotely

Ssh – How to make SSH’s `ControlPath` distinguish between IPv4 and IPv6

Related Question