-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Prevent usage of SSH persistent connections #160
base: main
Are you sure you want to change the base?
Conversation
Deployment sometimes get stuck on "Pushed system closure" if SSH control master already exists for the connection to make. This is more like a bug in the nix SSH implementation which is usually mitigated by setting these options in `NIX_SSHOPTS`.
I too ran into 'Deployment sometimes get stuck on "Pushed system closure"' an awful lot and as a short-term measure simply removed persistent connections from my ssh config. |
I'm getting the issues too, but since many of my system use Security Key based pubkey auth the ControlMaster feature is super helpful for not pressing my Yubikey constantly. But I do run into the reported issue too. I have not tested/ tuned this, but from past experiences SSH default config is rather bad at detecting connections that got closed on the server side by a reboot. |
@@ -345,6 +345,8 @@ impl Ssh { | |||
"-o", | |||
"BatchMode=yes", | |||
"-T", | |||
"-o", "ControlMaster=no", | |||
"-o", "ControlPath=/var/empty/non-existant", |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Why do you bother setting ControlPath
? If ControlMaster
is no
, ssh
won't even look at ControlPath
.
Is this related? I thought colmena haven't implement session reuse. Ah nvm, it is nix ssh implementation details. |
Deployment sometimes get stuck on "Pushed system closure" if SSH control master already exists for the connection to make.
This is more like a bug in the nix SSH implementation which is usually mitigated by setting these options in
NIX_SSHOPTS
.