Hi!
Am 14.04.25 um 12:41 schrieb Tom Hughes:
[...]
As it's just running the ssh command, could it just set some
combination of the Control{Master,Path,Persist} options so that
there is automatic connection sharing?
Incidentally you could probably achieve the same thing without
any code changes by doing something like this in .ssh/config:
Host <vm-host>
ControlMaster auto
ControlPath ~/.ssh/control.%C
ControlPersist no
That should share connections to the host until the last one
is closed I think.
I can confirm that this actually solves my initial problem:
With these few lines in $HOME/.ssh/config one has to authenticate
only once in virt-manager on the initial connection setup and then
can use the virtual console right away.
The first SSH connection to the host is authenticated as usual
(in my case with SSH key + TOTP).
Subsequent connections from the same client to the same host
do not perform a new authentication, they now use the existing
network connection.
There seems to be a side effect, though: if the initial connection
is done using virt-manager, a subsequent SSH shell session to the host
is lost, if the virt-manager connection is closed.
This is interesting, as if the initial connection is done using ssh
on the commandline (to get a shell on the remote host), a subsequent
virt-manager connection is not lost if the user exits the initial SSH
commandline session: The SSH shell session hangs and waits until the
virt-manager connection is closed.
I have to further analyze security and other implications of this setup.
Subsequent SSH sessions do not go through the PAM auth and session stack,
for instance. Shell sessions show up in the output of "who", though.
But for the case of virt-manager, this indeed is a good workaround.
Perhaps virt-manager should use this feature only for its own SSH connections
and not rely on the users ssh config setup?
Perhaps it could use the ssh commandline options "-M" and "-S" on the
initial connection and "-S" on subsequent connections to the same VM host?
Anyway, SSH is a very powerful tool!
It still amazes me after all these (almost 30) years I use it!
I didn't know this SSH feature.
Thank you for sharing this idea!
- andreas
--
Andreas Haumer
*x Software + Systeme | mailto:andr...@xss.co.at
Karmarschgasse 51/2/20 | https://www.xss.co.at/
A-1100 Vienna, Austria | Tel: +43-1-6060114
