| 22 Apr 2025 |
 aloisw | I don't doubt your thing works by accident as long as the command is not too weird. | 16:59:35 |
 helle (just a stray cat girl) | let me actually test it with our test shell set to nu, we couldn't so far | 17:00:16 |
| helle (just a stray cat girl) | In reply to @aloisw:julia0815.de
I don't doubt your thing works by accident as long as the command is not too weird. it may be getting expanded one layer earlier..... | 17:00:30 |
| helle (just a stray cat girl) | which would be bad | 17:00:35 |
| helle (just a stray cat girl) | and is one of the reasons why openssh should not be using the shell for this | 17:00:55 |
| aloisw | ForceCommand
Forces the execution of the command specified by ForceCommand,
ignoring any command supplied by the client and ~/.ssh/rc if
present. The command is invoked by using the user's login shell
with the -c option. This applies to shell, command, or
subsystem execution. It is most useful inside a Match block.
The command originally supplied by the client is available in
the SSH_ORIGINAL_COMMAND environment variable. Specifying a
command of internal-sftp will force the use of an in-process
SFTP server that requires no support files when used with
ChrootDirectory. The default is none.
| 17:06:08 |
| aloisw | "The command is invoked by using the user's login shell with the -c option" sounds like it will break with shells that are non-POSIX enough (at latest when quoting goes wrong). | 17:06:48 |
 K900 | Yep | 17:09:12 |
| helle (just a stray cat girl) | though just tested it with nushell and that particular case does work | 17:09:17 |
| aloisw | The semicolon one with very simple commands on both sides? That's expected. | 17:10:09 |
| helle (just a stray cat girl) | no, actual nix store ping ssh://testuser@[::1] | 17:10:34 |
| aloisw | I mean the command that gets finally passed to ssh. | 17:11:07 |
| aloisw | That's basically echo started; nix-daemon --stdio right? | 17:12:37 |
| helle (just a stray cat girl) | hope so | 17:13:08 |
| helle (just a stray cat girl) | but will check the levels of unwrapping happening, because lol shells | 17:13:28 |
| helle (just a stray cat girl) | (and probably will apply this cursed knowledge to fix another unrelated project idea we had) | 17:14:07 |
| helle (just a stray cat girl) | oh, given all that, it should actually be possible to write this as /bin/sh -c 'exec ${SSH_ORIGINAL_COMMAND=${SHELL}}' | 17:20:43 |
| aloisw | aloisw@exodus ~/V/l/main (main)> strace -f --seccomp-bpf -eexecve build/lix/nix/nix store ping --store ssh-ng://aloisw@exodus.home.arpa
[…]
[pid 124773] execve("/home/aloisw/.local/state/nix/profile/bin/ssh", ["ssh", "aloisw@exodus.home.arpa", "-x", "echo started; nix-daemon --stdio"], 0x7ffe59a59078 /* 171 vars */) = 0
[…]
| 17:23:00 |
| aloisw | The command is literally what I wrote above lol. | 17:23:10 |
| helle (just a stray cat girl) | sorry for missing it | 17:24:12 |
| helle (just a stray cat girl) | we dropped into the original discussion late | 17:24:19 |
| aloisw | In reply to @aloisw:julia0815.de
That's basically echo started; nix-daemon --stdio right? I mean the cited post, you didn't miss anything, I just didn't expect it to be completely correct. | 17:29:53 |
| aloisw | But yes nushell escaping is probably POSIX enough to be able to handle that properly with -c. | 17:30:25 |
| helle (just a stray cat girl) | yeah, that is a thing we checked | 17:32:19 |
| helle (just a stray cat girl) | sorry if that wasn't clear | 17:32:48 |
| helle (just a stray cat girl) | nushell does implement -c and does implement basic quoting, so this would work | 17:33:14 |
| helle (just a stray cat girl) | if the shell is even less posix | 17:33:21 |
| helle (just a stray cat girl) | then yes, all is lost | 17:33:26 |
| aloisw | No it was very clear what you checked works, I just wanted to dig deeper into the rabbit hole why it works. | 17:33:36 |
| helle (just a stray cat girl) | we really still want a better version of Subsystem (and Match for Subsystem) and related, ForceCommand, both of which in a way that should not rely on the user's shell......, technically some alternative ssh implementations have these, but eeeeh, openssh is the most audited | 17:35:06 |
