- djm@cvs.openbsd.org 2008/07/02 13:47:39

[ssh.1 ssh.c]
     When forking after authentication ("ssh -f") with ExitOnForwardFailure
     enabled, delay the fork until after replies for any -R forwards have
     been seen. Allows for robust detection of -R forward failure when
     using -f (similar to bz#92); ok dtucker@

ChangeLog

@@ -3,6 +3,12 @@
    - djm@cvs.openbsd.org 2008/07/02 13:30:34
      [auth2.c]
      really really remove the freebie "none" auth try for protocol 2
+   - djm@cvs.openbsd.org 2008/07/02 13:47:39
+     [ssh.1 ssh.c]
+     When forking after authentication ("ssh -f") with ExitOnForwardFailure
+     enabled, delay the fork until after replies for any -R forwards have
+     been seen. Allows for robust detection of -R forward failure when
+     using -f (similar to bz#92); ok dtucker@
 
 20080702
  - (dtucker) OpenBSD CVS Sync
@@ -4538,4 +4544,4 @@
    OpenServer 6 and add osr5bigcrypt support so when someone migrates
    passwords between UnixWare and OpenServer they will still work. OK dtucker@
 
-$Id: ChangeLog,v 1.5049 2008/07/04 02:53:23 dtucker Exp $
+$Id: ChangeLog,v 1.5050 2008/07/04 02:53:50 dtucker Exp $

ssh.1

@@ -34,8 +34,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.276 2008/06/26 21:11:46 jmc Exp $
+.\" $OpenBSD: ssh.1,v 1.277 2008/07/02 13:47:39 djm Exp $
-.Dd $Mdocdate: June 26 2008 $
+.Dd $Mdocdate: July 2 2008 $
 .Dt SSH 1
 .Os
 .Sh NAME
@@ -290,6 +290,15 @@ This implies
 The recommended way to start X11 programs at a remote site is with
 something like
 .Ic ssh -f host xterm .
+.Pp
+If the
+.Cm ExitOnForwardFailure
+configuration option is set to
+.Dq yes ,
+then a client started with
+.Fl f
+will wait for all remote port forwards to be successfully established
+before placing itself in the background.
 .It Fl g
 Allows remote hosts to connect to local forwarded ports.
 .It Fl I Ar smartcard_device

ssh.c

@@ -1,4 +1,4 @@
-/* $OpenBSD: ssh.c,v 1.317 2008/06/12 16:35:31 dtucker Exp $ */
+/* $OpenBSD: ssh.c,v 1.318 2008/07/02 13:47:39 djm Exp $ */
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
  * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
@@ -860,9 +860,15 @@ ssh_confirm_remote_forward(int type, u_int32_t seq, void *ctxt)
 			logit("Warning: remote port forwarding failed for "
 			    "listen port %d", rfwd->listen_port);
 	}
-	if (++remote_forward_confirms_received == options.num_remote_forwards)
+	if (++remote_forward_confirms_received == options.num_remote_forwards) {
 		debug("All remote forwarding requests processed");
-		/* XXX fork-after-authentication */
+		if (fork_after_authentication_flag) {
+			fork_after_authentication_flag = 0;
+			if (daemon(1, 1) < 0)
+				fatal("daemon() failed: %.200s",
+				    strerror(errno));
+		}
+	}
 }
 
 static void
@@ -1062,10 +1068,17 @@ ssh_session(void)
 	    options.permit_local_command)
 		ssh_local_cmd(options.local_command);
 
-	/* If requested, let ssh continue in the background. */
+	/*
-	if (fork_after_authentication_flag)
+	 * If requested and we are not interested in replies to remote
+	 * forwarding requests, then let ssh continue in the background.
+	 */
+	if (fork_after_authentication_flag &&
+	    (!options.exit_on_forward_failure ||
+	    options.num_remote_forwards == 0)) {
+		fork_after_authentication_flag = 0;
 		if (daemon(1, 1) < 0)
 			fatal("daemon() failed: %.200s", strerror(errno));
+	}
 
 	/*
 	 * If a command was specified on the command line, execute the
@@ -1204,9 +1217,11 @@ ssh_session2(void)
 	muxserver_listen();
 
 	/* If requested, let ssh continue in the background. */
-	if (fork_after_authentication_flag)
+	if (fork_after_authentication_flag) {
+		fork_after_authentication_flag = 0;
 		if (daemon(1, 1) < 0)
 			fatal("daemon() failed: %.200s", strerror(errno));
+	}
 
 	return client_loop(tty_flag, tty_flag ?
 	    options.escape_char : SSH_ESCAPECHAR_NONE, id);