Bug 3186

Summary: ProxyJump should include IdentityFile when specified
Product: Portable OpenSSH Reporter: David Tomaschik <david>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: enhancement CC: djm
Priority: P5    
Version: 8.3p1   
Hardware: Other   
OS: Linux   

Description David Tomaschik 2020-06-24 10:40:37 AEST 
While ProxyJump (-J) is documented as not taking the configuration for the destination host (which makes sense for most things, like port forwarding, X11 forwarding, environment, etc.), it seems that it's not uncommon to want to use the same SSH key to authenticate to both hosts.  In such cases, passing -i on the command line fails as it's not used for authenticating to the jump host.

I believe that when -J and -i are both used on the command line, the provided identity file should also be attempted for the jump host, and there's little risk (aside from exposing the fingerprint of the additional public key to the intermediate host).
Comment 1 Damien Miller 2020-11-20 14:58:22 AEDT 
The problem with adding additional implicitly-passed options for ProxyJump is that they preclude fine-grained control via the configuration (as command-line takes precedence).

So, e.g. for implicitly passing -i it would become impossible to prefer another key for the subsequent connection(s) regardless of what is in ~/.ssh/config

Because of this, we prefer to pass only the bare minimum through the command-line and leave the rest up to user configs.
Comment 2 Damien Miller 2021-04-23 15:01:00 AEST 
closing resolved bugs as of 8.6p1 release