Sad to say, but the openssh crew has moved the "-X" functionality to a
new option, "-Y", and -X has a related but far less effective meaning now.
This makes a general mess of things for deep-ssh. I'm going to
try to find some time to come up with a decent workaround, but
meanwhile, I've posted on comp.security.ssh, asking why they broke it.
The OpenSSH developers don't appear to have any intention of
fixing what they broke, so I'm prototyping a couple of methods of
replicating deep-ssh v1 functionality using different methods. More
later.
If all you require is tty functionality, and not X11 forwarding,
you can safely just delete all the -A's, -X's and -Y's from the
program, to get something that should work across a variety of
versions of ssh.
Or, if you have all older ssh clients, you can use all
-X's.
Or, if you have all newer ssh clients, you can use all
-Y's. This is now the default, at least until I have more time to
work on my other prototypes.
If you've ever worked with an unrouted network, one or more
discontinuities (ssh hops, not one-network VPN's) deep, then
you may appreciate "deep-ssh".
Basically, deep-ssh just constructs a bunch of ssh's that call other
ssh's, until you're at your destination, at which point, a command is
run.
Usage is like:
deep-ssh '' host1!host2!host3 'uname -a'
This command will ssh to host1, which in turn will ssh to host2, which
in turn will ssh to host3, and then on host3 the command "uname -a" is
run.
You can also do something like:
deep-ssh '' host1!someuser@host2!host3 'uname -a'
Note the addition of a username specification.
You may want to consider setting up passwordless,
passphraseless ssh, once for each ssh hop. Alternatively, you
can just let ssh run a bunch of
ssh-askpass/x11-ssh-askpass/gnome-ssh-askpass commands to ask for a
password on each host in turn.
deep-ssh will attempt to set up X11 tunneling on each hop. However, if
for some reason one or more of the hosts you are connecting through, or
the host you are initiating the deep-ssh from, has X11 forwarding
problems, then the X11 forwarding will not work. Someday, I may have to
revise this to do ssh -Y instead of ssh -X...
I gave in and revised the quoting style to use exponential backslashing,
instead of trying to get away with alternating ' and ". This is much
more in line with how I really expected things to work.
I've tested deep-ssh as far as:
~/bin/deep-ssh '' host1!root@host2!host3!host4!host5 "uname -a"
Executing: eval ssh -X host1 \" eval ssh -X root@host2 \\\" eval ssh -X host3\\\\\\\" eval ssh -X host4 \\\\\\\\\\\\\\\" eval ssh -X host5 \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\"uname -a\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\" \\\\\\\\\\\\\\\" \\\\\\\" \\\" \"
It asked me for a lot of passwords (via the GUI each time), but it did
eventually give me "uname -a" output from host5! :)
Shell metacharacters in your command are now escaped quite well,
but here documents aren't attempted. So, for example:
deep-ssh host1!host2 'cat > /tmp/foo' < /tmp/foo
should work fine now.
Note that some shells may require you to escape your !'s. Other shells
may or may not require you to escape them, depending on how they're
configured. Still others may not allow you to escape the !'s at all.
If you're in this latter situation, you might want to use a real
shell :), or modify deep-ssh to use a different delimiter.
Download deep-ssh here. It's going to
need my bashquote python module.
Another approach can be found here. I
must say, it's an interesting way of accomplishing much the same
thing, and even has advantages over deep-ssh. I hope to find time to
look into this eventually. It'll most likely take longer to set up, but
once it's set up, you no longer have a "weak as the weakest link in the
chain" situation. Which of course leads one to consider a deep-ssh -
like program that configures what's needed for the method at the
URL. :)
