Received this patch from Philip Marek.
This can be applied once tested, and since I have no need for it, no rush to test it. Feel free to test and provide a +1 and I'll apply it.
If I read the patch correctly this effectively does
ssh -T host1 ssh -T host2 ... ssh -T hostN xpra_proxy ...
This is not very secure. It lets hosts 1 .. (N-1) see your traffic and your passwords (if you use password authentication). My ~/.ssh/config
has
Host host2 ProxyCommand ssh host1 netcat %h %p
which allows me to do simply do "ssh host2". In this setup host1 will only see encrypted traffic.
In principle, I am not necessarily against giving the ability to do dangerous things, in this case you would have to be using password authentication via an "untrusted" box: the attacker on that box would still need to be root - or at least the same uid? - to eavesdrop on the ssh pty used for sending the password.
It is a risk and a sub-optimal way of doing things, but as long as this is made clear to the user and does not break anything for anyone else (or endanger them in any way), I think this can be applied. But before that, it would require man page amendments...
Comments?
I think that doing this the secure way is almost as easy as the proposed patch.
Being able to specify a string of -o 'ProxyCommand %s'
would definitely be much more useful because you could also enable sending stuff over corporate HTTP proxies and the like - not to mention safer in the naive ssh use case because of the issue that lindi described.
thought about it some more, I don't think that this belongs in xpra (similar reason to #111)
this ticket has been moved to: https://github.com/Xpra-org/xpra/issues/17