Mostly unknown OpenSSH tricks

I’m not really keen on writing “tricks” kind of posts for software, especially widely known as OpenSSH, but this stuff tends to be quite intriguing now – to me at least – and I think most people wouldn’t know about that.

If you’ve used cvs, svn or other SSH-connected services in the recent past you probably know that one of the most time-wasting tasks for these systems is to connect the ssh session itself. Thankfully, quite a bit of time ago, OpenSSH introduced the “master” connection feature: the first ssh connection you open to a host (with a given username) creates a Unix socket descriptor, which is used by the following sessions. This was really a godsend for when committing a huge number of packages more or less at the same time, when I was still in the KDE team.

Unfortunately, this still required the first connection to be a persistent one; to solve that, I used to start a screen session that connected a few ssh connections, after asking me for the key passphrase. This didn’t make it any nice on the system or on the security, among other things. But fear not, OpenSSH 5.6 brought magic into the mix!

The new ControlPersist option allows for the master connection to be created in a detached SSH process when first connecting to a box, so that there is no need to preventively prepare for processes to be kept around. Basically all you have to do to make use of master connections now is something like this in your ~/.ssh/config:

Host *
ControlMaster auto
ControlPersist yes

and you’re set: ssh takes care of creating the first master connection if not present, and to delete and recreate it if it’s dropped for whatever reason; you can otherwise force the connection to be closed by using ssh $host -O exit. Lovely!

There is one more trick that I wish to share though, although this time around I’m not sure which OpenSSH version introduced it. You can have from time to time the need to connect to a box that is behind a not-too-hostile firewall, which you have also access to. This is the case at a customer’s of mine where only the main router has a (dynamic) IPv6 address and I have to go through that to connect to the other boxes. The usual trick to follow in such a situation is to use the ProxyCommand option, using ssh and nc (or in my case nc6) to get a raw connection to the other side. I was always a bit bothered by having to do it this way to be honest. Once again, recent versions of OpenSSH solve the problem with the -W option:

ProxyCommand none

Host *
ProxyCommand ssh -W %h:%p

With this method, it will be the ssh on my customer’s router to take care of connecting to the box further down the net and redirect that to the input/output streams, without the need for a nc process to be spawned. While this doesn’t look like a biggie, it’s still one less package I have to keep installed on the system, among other things.

Working under Windows, my personal hell

If I am to go to hell, I know already what it will look like: no Linux, no Mac OS X or any other Unix. Just Windows and (maybe) OS/2. And I’m still a programmer. And a system administrator at the same time.

It so happens that my current job requires me to work under Windows, to develop software, well, for Windows. For a series of reason that I don’t want to start explaining here, I decided to go with Borland, sorry, CodeGear C++ Builder as IDE rather than Microsoft’s or Qt. The main problem is that the software ha to be redistributed as proprietary, and cannot relay on stuff like .NET framework (otherwise I could have easily completed it already using Visual C# Express).

I have to admit I find myself way more comfortable with Borland, sorry, CodeGear rather than Microsoft’s sorta-C++ environment, mostly because I learnt real programming with BCB 3 (I had a “personal” license that was given for free with an old magazine years ago). I don’t really like much of the orientation that CodeGear has, but at least I can work with it without going crazy, which is decent anyway.

What is the problem? Well I didn’t have a Windows installation for about five years before, and my last license of Windows was Windows 95; I had to buy a Windows XP license (and it still costs €400 even though it has been released more than five years ago by now), and a license of CodeGear C++ Builder (electronic copy costs €100 less, but it still costs almost one grand). Then I had to get used again to working with VCL.

Not a big deal, mind you, but it reminds me why I so much like Qt, GCC and Emacs. Sure I could use these three on Windows, but not for what I need to do :/

On the other hand, I was able to use a piece of free software to save some of my time: rather than using the XML Writer interface as exported by MS XML services, I built libxml2 (which strangely enough supports Borland compiler natively) and used that, it features a very similar interface, but way nicer. The XPath interface is a bit messy (I was unable to find a way to execute recursive XPaths, that is, after finding a node through XPath, I couldn’t find how to run a second XPath on that, so i had to complete the task with sequential access; if anybody knows how to do that I’d be glad to know). I sincerely find libxml2 could use some better API documentation, if I have more time I’ll gladly see to write it.

But it’s not even done here. I decided that running the virtual machine on a virtual disk on the laptop was being too slow, so I decided to use BootCamp to install on the real disk and use that through Parallels. Reinstalling everything is a pain especially when Windows seem to require ten runs of Windows Update to get the updates right. And users complain about having to use --resume --skipfirst with Gentoo from time to time ;)

Right now I am storing my work data on a virtual hard drive still, as I couldn’t give enough space on the real disk for Windows, and of course Windows does not support the GPT partition scheme I use on the external Firewire drive. It’s frustrating that I can share that disk just fine with Linux and OSX but I’d need another hard drive to get it to share data with Windows. I suppose I should write that off for the future.

Using Parallels shared folder feature, by the way, seems to be quite impossible with development environments: .NET based stuff won’t run the applications with full privileges because they are seen as coming through the network; CodeGear RAD Studio tries to validate the hostname (.PSF) and as it is invalid it fails to open any file that resides on it (unless you map it to a network drive), the Borland Incremental Linker (ilink32) fails because Parallels uses case-sensitive lookup for files, while ilink32 looks for all-caps filenames (MainUnit.cpp becomes MainUnit.obj, but the linker looks for MAINUNIT.OBJ).

I should probably put the subversion repository for my work on Enterprise, but I don’t wan to access it through SSh as it would mean adding a private key able to access Enterprise to Windows…

I sincerely hope my next jobs will stay under Linux for a while, after these two are done :)

Unieject moves to GIT

It’s not like I love GIT unconditionally, I think Mike has quite a point about it. But it makes it way easier to handle repositories than Mercurial. So I am using it for almost all the projects I maintain alone.

Unieject up to now was still using Subversion on; the problem was that git-svn didn’t grasp a rename that I made during the early life of the project when I imported the local Subversion repository to Berlios.

Today, after I couldn’t commit to Sourceforge because my password expired (is this something new?) I tried git-svn again and… it worked! It imported the repository correctly. After a bit of fiddling to replace the tags branches with actual tags, I was able to get my new repository online on the server.

I’ve now disabled SourceForge’s SVN for Unieject, the code can be found at

I’m now debating with myself about either resuming to work on gitarella, or abandon it for cgit… the problem is that I’d have to prepare an ebuild for cgit at least, and I never tried to understand how to make an ebuild for a webapp. If somebody from the webapp team can give me some of his time to either teach me how to make an ebuild for cgit, or directly creating one, I’d be quite happy :)