Version 7 of remote ssh tcl

Updated 2004-05-27 03:00:19 by CMCc

CMcC: Here are a couple of procs to feed tcl commands to a tclsh on another machine via ssh, and collect the result. Requires a recent tclsh8.4 with extended return and dict commands.

How it Works:

We use ssh to log into a remote machine as a remote user whose shell is tclsh. We then send a little command loop command to the remote tclsh, which catch/evals code sent to it via stdin (which is connected to the ssh write fd on the local machine.)

The result, with any errors, are strung together and outputted by remote on stdout, to be collected up on the ssh read fd on the local machine, and returned as if they were executed locally.

I'm concerned that the protocol breaks down if stdin is directly written to by the code sent to the remote, so that's a limitation. I am also concerned that if the remote's result contains special characters, they could interfere with the protocol ... any insights into that problem are welcome.

Security:

Caveat! This code enables anyone who can ssh connect to user@machine to run whatever code they like. Clearly this is not entirely safe, but it is no less safe than any ssh connection ... a safe interp version shouldn't be too hard to come up with, but is at the moment left as a future exercise.

Possible Extensions:

  • safe interp for the remote, using Safe to provide policy and such - main impediment being to correctly and flexibly implement policy setting at the remote end.
  • some protection against the puts stderr problem mentioned above.
  • asynchronous command execution - it's not too hard, actually, it only requires a sequence number to match requests and responses, and a fileevent-driven command interpreter.

The Code:

connect fred@host will connect as user fred on host host. Note that fred should be a user whose login shell is tclsh, and for whom login is not permitted (I know this sounds contradictory, but it works under unix.) The user running these procs has to have keys sufficient to log in without password and without passphrase.

    proc connect {where} {
        global ssh
        set ssh [open "|ssh $where" "r+"] ;# start up the remote shell, should be tclsh
        fconfigure $ssh -buffering line -blocking 1

        # set up a command loop which processes and returns our commands
        puts $ssh {
                fconfigure stdout -buffering line
                while {![eof stdin]} {
                    set cmd [gets stdin]
                    set code [catch $cmd result opt]
                    puts [string map [list \\ \\\\ \n \\n] $opt]
                    puts [string map [list \\ \\\\ \n \\n] $result]
                }
        }

        # return the ssh connection
        return $ssh
    }

remote passes the expression to the remote via ssh, and returns the result.

    proc remote {args} {
        global ssh

        # execute the command in the remote tclsh
        #puts stderr "CMD: $args"
        puts $ssh $args

        # get the error option dict
        set opt [string map [list \\n \n \\\\ \\] [gets $ssh]]
        #puts "OPT: $opt"

        # get the remote execution result
        set result [string map [list \\n \n \\\\ \\] [gets $ssh]]
        #puts "RESULT: $result"

        # return the result or error from the remote
        return -options [eval dict create $opt] $result
    }

This is just a little bit of test code. There's a problem with quoting, if someone can show me how to do it better, I'd be grateful.

    if {[info exists argv0] && ($argv0 == [info script])} {
        connect user@host
        puts [remote set mumble 100]
        puts [remote incr mumble]
        puts [remote set mumble]
        puts [remote return "Woo\\nWoo\\n"]
        puts [remote set blerf]        ;# expect an error here
        puts [remote set mumble]
    }