[patch] Re: -n vs batch_mode vs batch_flag
Tom Holroyd
> i did not invent '-n' but the manpage reads:
>
> -n Redirects stdin from /dev/null (actually, prevents reading from
> stdin). This must be used when ssh is run in the background. A
> common trick is to use this to run X11 programs on a remote ma-
> chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
> an emacs on shadows.cs.hut.fi, and the X11 connection will be au-
> tomatically forwarded over an encrypted channel. The ssh program
> will be put in the background. (This does not work if ssh needs
> ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> to ask for a password or passphrase; see also the -f option.)
> ^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^
Yes, I read that. Notice how ssh doesn't do what that says.
> > % ssh -n localhost &
> > [1] 5220
> > % tomh@localhost's password:
> > [1] + Suspended (tty input) ssh -n localhost
According to the man page, -n should _prevent_ reading from stdin, but it
doesn't. There is a mechanism for this (batch mode) but it isn't used. I
was suggesting that -n set options.batch_mode (the stuff I said about
batch_flag was all wrong; if -n sets options.batch_mode it works).
Here's a patch. With this, you can put
ssh -n host command &
in a background script (or a menu item) and it will die gracefully if a
passwordless method (such as pubkey) isn't available. If you say -f then
it's an error to use batch mode.
--- ssh.c.old Mon Apr 9 10:44:52 2001
+++ ssh.c Mon Apr 9 10:53:35 2001
@@ -335,6 +335,7 @@
break;
case 'n':
stdin_null_flag = 1;
+ options.batch_mode = 1;
break;
case 'f':
fork_after_authentication_flag = 1;
@@ -533,6 +534,8 @@
/* Cannot fork to background if no command. */
if (fork_after_authentication_flag && buffer_len(&command) == 0 && !no_shell_flag)
fatal("Cannot fork into background without a command to execute.");
+ if (fork_after_authentication_flag)
+ options.batch_mode = 0;
/* Allocate a tty by default if no command specified. */
if (buffer_len(&command) == 0)
Dr. Tom
Markus Friedl
> On Sun, 8 Apr 2001, Markus Friedl wrote:
>
> > i did not invent '-n' but the manpage reads:
> >
> > -n Redirects stdin from /dev/null (actually, prevents reading from
> > stdin). This must be used when ssh is run in the background. A
> > common trick is to use this to run X11 programs on a remote ma-
> > chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
> > an emacs on shadows.cs.hut.fi, and the X11 connection will be au-
> > tomatically forwarded over an encrypted channel. The ssh program
> > will be put in the background. (This does not work if ssh needs
> > ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
> > to ask for a password or passphrase; see also the -f option.)
> > ^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^
>
> Yes, I read that. Notice how ssh doesn't do what that says.
>
> > > % ssh -n localhost &
> > > [1] 5220
> > > % tomh@localhost's password:
> > > [1] + Suspended (tty input) ssh -n localhost
this is what the manpages says.
> According to the man page, -n should _prevent_ reading from stdin, but it
> doesn't.
ssh does not read from stdin, but from the tty.
why don't you use -f ?
-m
Tom Holroyd
> ssh does not read from stdin, but from the tty.
Yes, I misspoke, it's reading the passphrase from the tty, not stdin.
I was thinking -n mean "no input", not "no input from stdin".
> why don't you use -f ?
Because I don't want it to ask for a passphrase. I want to have two
authentication methods available: password and publickey. Then I want
to select a menu item from my GUI that does
ssh -n host command &
and I want it to be in batch mode, so the password method will not be
tried, and it'll go by pubkey if it can. So what I *really* want is
this:
ssh -n -o 'batchmode yes' host command &
BUT I thought it would be nice if -n did this for me automatically,
just as a convenience, since it seems much clearer to me. Maybe it's
just me. :-)
Wayne Davison
> stdin). This must be used when ssh is run in the background. A
> common trick is to use this to run X11 programs on a remote ma-
> chine. For example, ssh -n shadows.cs.hut.fi emacs & will start
> an emacs on shadows.cs.hut.fi, and the X11 connection will be au-
> tomatically forwarded over an encrypted channel. The ssh program
> will be put in the background. (This does not work if ssh needs
I think this could be improved a bit. The problems I have with it:
- It should say explicitly that it doesn't stop authentication prompts.
- Someone reading too casually might think that ssh puts the program
into the background, not the shell.
- A better explanation for why -n and prompts don't work well
together is needed (since -n works just fine with prompting, it's
the backgrounding by the shell that makes it not work right).
The following patch improves this section on -n, and makes a slight
tweak to the -f section.
..wayne..
---8<------8<------8<------8<---cut here--->8------>8------>8------>8---
Index: ssh.1
@@ -399,8 +399,9 @@
to go to background just before command execution.
This is useful if
.Nm
-is going to ask for passwords or passphrases, but the user
-wants it in the background.
+is going to ask for passwords or passphrases (since it needs to be
+in the foreground for that), but the user
+wants the command to be run in the background.
This implies
.Fl n .
The recommended way to start X11 programs at a remote site is with
@@ -437,6 +438,7 @@
Redirects stdin from
.Pa /dev/null
(actually, prevents reading from stdin).
+Does not prevent authentication prompts (which get read from /dev/tty).
This must be used when
.Nm
is run in the background.
@@ -447,12 +449,13 @@
connection will be automatically forwarded over an encrypted channel.
The
.Nm
-program will be put in the background.
-(This does not work if
+program will be put in the background by the shell (because of the '&').
+This shell idiom does not work well when
.Nm
-needs to ask for a password or passphrase; see also the
+needs to ask for a password or passphrase (because ssh will block
+waiting for a foreground response from the user); see the
.Fl f
-option.)
+option for a way to solve this.
.It Fl N
Do not execute a remote command.
This is useful if you just want to forward ports
---8<------8<------8<------8<---cut here--->8------>8------>8------>8---