[svn.haxx.se] · SVN Dev · SVN Users · SVN Org · TSVN Dev · TSVN Users · Subclipse Dev · Subclipse Users · this month's index

ssh ControlMaster problem, workaround

From: Peter Samuelson <peter_at_p12n.org>
Date: Wed, 16 Jul 2008 19:52:03 -0500

In which Peter describes a problem and his workaround, and opens
discussion for a better solution.

Since OpenSSH 3.9 (late 2004), ssh can do connection multiplexing,
where a "master" ssh process opens a TCP/IP connection; any other ssh
processes that come along wanting to use the same {server, port,
username} tuple (I'll call this an "ssh route", to keep it simple)
automatically tunnel their traffic through the master connection, by
means of a Unix socket file.

This requires running an ssh "master" for that route, and one way to
create the master is with the config option "ControlMaster auto". This
stipulates that any ssh client process will look for a master for its
route, and if none exists, it _becomes_ a master.

Here is where Subversion comes in. If a user specifies "ControlMaster
auto", then runs a svn command that uses svn+ssh, that command may or
may not create an ssh master process with a tunnel to that server. If
it does, the same master will be killed by ra_svn a short time later,
thus killing any active tunnelled connections ... including a second
connection that was made by ra_svn itself!

The workaround is very simple, in .svn/config:

  [tunnels]
  ssh = $SVN_SSH ssh -o ControlMaster=no

Then ssh multiplexing is still used, but only if an ssh master process
already exists for the appropriate route. Sudden death for an ssh
client no longer matters.

This is in fact what I've recently done for the hard-coded default
.svn/config file for Debian [1], so in the future, Debian and Ubuntu
users are less likely to see the problem. However, I don't think it's
a reasonable fix for the real tree:

1) We don't have any other uncommented options in our default files.

2) Even though OpenSSH 3.9 is almost 4 years old, you never know if
   everyone has it. I suspect older OpenSSH would choke on the unknown
   option, but I haven't tested it.

Another approach would be for ra_svn to know about -o ControlMaster=no
magically, without a config file, but that is possibly even worse.
Comments are welcome. 

-- 
Peter Samuelson | org-tld!p12n!peter | http://p12n.org/
[1] svn://svn.debian.org/pkg-subversion/trunk/debian/patches/ssh-no-controlmaster

Received on 2008-07-17 02:52:23 CEST

This is an archived mail posted to the Subversion Dev mailing list.

This site is subject to the Apache Privacy Policy and the Apache Public Forum Archive Policy.