Bug 3000

Summary: Redirect of ProxyCommands' stderr to /dev/null hides useful information
Product: Portable OpenSSH Reporter: Jérémie Roquet <jroquet>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: NEW ---    
Severity: minor    
Priority: P5    
Version: 8.0p1   
Hardware: amd64   
OS: Linux   

Description Jérémie Roquet 2019-04-30 00:31:46 AEST 
Hi,

8.0p1 introduces that change (from the release notes¹):

 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
   started with ControlPersist; prevents random ProxyCommand output
   from interfering with session output.

I'm sure there are very good reasons to do that, however it has the annoying side effect of hiding information that may otherwise be useful.

Having updated yesterday, I've been missing two things already:
 - the output generated by SSH's own VisualHostKey, which is printed to stderr;
 - the instructions sent on stderr by some SSH bastion I've no control over, about how to use its proprietary 2FA (namely RSA SecurID).

I could probably live without the former (that's just a handy visual clue I'm accustomed to), but I'm kind of lost without the latter, because there's nothing standard in how that bastion expects me to reply to the password prompt.

I can see plenty of other cases where stderr could be important for ProxyCommands, starting with actual error messages one would expect to find here.

Is there some subtlety I've missed here? Or any way to prevent stderr from being hidden? I guess I could redirect it to stdout right in the ProxyCommand, but that seems a bit “hacky”…

Thanks!

¹ https://www.openssh.com/releasenotes.html