implementing eow at

Catalin Patulea cat at
Thu Jul 25 09:21:43 WST 2013

eow at is an extension that allows EPIPE to propagate through
SSH sessions. For example:
ssh localhost cat /dev/urandom | /bin/true
will very quickly exit because /bin/true does not consume its stdin.

The mechanism is:
- /bin/true calls exit(0), closing the last remaining ref to its stdin pipe
- ssh tries to write() and gets EPIPE
- ssh sends eow at channel request to server
- sshd handles eow at by closing read side of its pipe
- 'cat /etc/urandom' itself tries to write(), sees EPIPE and is killed

dropbear doesn't implement this, so
./dbclient localhost cat /dev/urandom | /bin/true
runs forever.

eow at is specified here:;content-type=text/plain
(section 2.1)

I have a draft implementation of this in dropbear (attached), but
there is one significant issue:

In cli-session.c, stdin, stdout and stderr are dup()'ed in order to be
able to restore file flags at the end of the session. This means that
if the client gets eow at from the server and close(0), this
is actually not the last outstanding ref to the pipe. There's still an
fd 4 or so, which means the writer actually doesn't see EPIPE. So a
case like this is still broken:
<producer> | ./dbclient <host> <remote command that closes stdin>

On my ubuntu dev machine I could just comment the dup()/flags hack
out, which made this work. But I'm not sure whether this is really
still needed at all.

What is the history behind this? The comment says:
/* We store std{in,out,err}'s flags, so we can set them back on exit
 * (otherwise busybox's ash isn't happy */

but that's not much detail and I'm not sure if it's really still needed.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: dropbear-eow.patch
Type: application/octet-stream
Size: 6460 bytes
Desc: not available
Url : 

More information about the Dropbear mailing list