Bug 3423

Summary:

Regression in ProxyJump functionality since 8.7p1

Product:

Portable OpenSSH

Reporter:

kellenhfox

Component:

ssh

Assignee:

Assigned to nobody <unassigned-bugs>

Status:

NEW ---

Severity:

minor

CC:

djm, dtucker, franck.lefebure, kellenhfox

Priority:

Version:

8.9p1

Hardware:

amd64

OS:

Linux

Attachments:

Description	Flags
debug proxy jum session	none

Description kellenhfox 2022-04-15 05:40:52 AEST

Hello folks,

I for a number of years have had a reasonably complicated ssh config that heavily used ProxyJump. I noticed that this broke a while back, but only recently had the time to dig in and try and figure out what the cause was.

Basically I was using the fact that ProxyJump was turned into a ProxyCommand to inject some amount of shell scripting to template out the destination of my ProxyJump

An example that shows the error is as follows

```
Host ?m* ??m* ???m*
  ProxyJump $(echo %h|grep -oE '[0-9]+'|head -1).ssh.my.org
```

This would turn a command to ssh into `7m123` into `ssh -J 7.ssh.my.org 7m123`

My bisecting leads me to believe that this change was part of dc72fd12af9d5398f4d9e159d671f9269c5b14d5

Specifically with the addition of the following to the parse_jump function in readconf.c

```
	/* Remove comment and trailing whitespace */
	if ((cp = strchr(orig, '#')) != NULL)
		*cp = '\0';
	rtrim(orig);
```

So questions here is: Was my abuse of the ProxyJump directive wrong or Should the parsing of the ProxyJump directive allow arbitrary content including spaces to be passed along?

Comment 1 Franck Lefebure 2022-05-21 08:33:56 AEST

I should have met this regression too

I've juste upgreaded my workstation to Ubuntu 22.04 which brings openssh-client 8.9p1
Before I used openssh 8.2p1
Proxyjumps ssh connections seem broken.
For exemple :

host hudson
  Hostname hudson
  IdentityFile ~/.ssh/id_rsa

Host oca
  Hostname 172.21.249.237
  User flefebure
  IdentityFile ~/.ssh/dev0/id_rsa
  ProxyJump hudson


I can go to "hudson", but not "oca" (the second key is ignored and a password is required)
Same config with 8.2 and 8.6 is ok

Comment 2 Damien Miller 2022-05-23 15:19:04 AEST

Sorry, inserting shell characters is well outside of how we intend ProxyJump to be used and I don't think we can offer any promises of stability for uses of shell inside ProxyJump.

I recommend converting your rules to ProxyCommand, where such things are welcomed :)

Comment 3 Damien Miller 2022-05-23 15:20:09 AEST

wrt Franck's issue - could you please attach a debug trace of a failed connection to the bug? It's almost impossible to tell what is happening without it.

Comment 4 Darren Tucker 2022-05-27 14:11:10 AEST

(In reply to Franck Lefebure from comment #1)
> I should have met this regression too

I just tried to reproduce this with -current (config adjusted to make local conditions):

IdentitiesOnly yes

host hudson
  Hostname 127.0.0.1
  IdentityFile ~/.ssh/id_rsa_hudson

Host oca
  Hostname 192.168.32.6
  User flefebure
  IdentityFile ~/.ssh/dev0/id_rsa_oca
  ProxyJump hudson

And it's trying the keys I would expect it to with that config:

$ ssh -F /tmp/config -v oca
[...]
debug1: /tmp/config line 3: Applying options for hudson
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/dtucker/.ssh/id_rsa_hudson type -1
[...]
debug1: Trying private key: /home/dtucker/.ssh/id_rsa_hudson
[...]
dtucker@127.0.0.1's password: 
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "password".
[...]
debug1: Authenticating to 192.168.32.6:22 as 'flefebure'
debug1: Will attempt key: /home/dtucker/.ssh/dev0/id_rsa_oca  explicit

Is there anything else in that config (eg Match Final)?  Could you please attach a debug "(ssh -vvv oca)"?

Comment 5 Franck Lefebure 2022-05-30 00:45:19 AEST

Hi,
Sorry for the delay, was far away from my home workstation last week.
The verbose session is as attachment.
I can see :

debug1: Offering public key: /home/flefebure/.ssh/dev0/id_rsa RSA SHA256:iZnWi8F27Erf3DjHdsFGZInHsNwj4ZecgP+N7+TOZr8 explicit agent^M
debug1: send_pubkey_test: no mutual signature algorithm^M
debug1: Next authentication method: keyboard-interactive^M

Probably not the same problem as kellenhfox@.. sorry

Comment 6 Franck Lefebure 2022-05-30 00:46:17 AEST

Created attachment 3595 [details]
debug proxy jum session

Comment 7 Franck Lefebure 2022-05-30 00:58:27 AEST

'PubkeyAcceptedKeyTypes +ssh-rsa' did the trick.
Sorry, it was trivial.
Sorry kellenhfox for the thread squatting..