Bug 3186 - ProxyJump should include IdentityFile when specified
Summary: ProxyJump should include IdentityFile when specified
Status: CLOSED WONTFIX
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 8.3p1
Hardware: Other Linux
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-06-24 10:40 AEST by David Tomaschik
Modified: 2021-04-23 15:01 AEST (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description David Tomaschik 2020-06-24 10:40:37 AEST 
While ProxyJump (-J) is documented as not taking the configuration for the destination host (which makes sense for most things, like port forwarding, X11 forwarding, environment, etc.), it seems that it's not uncommon to want to use the same SSH key to authenticate to both hosts.  In such cases, passing -i on the command line fails as it's not used for authenticating to the jump host.

I believe that when -J and -i are both used on the command line, the provided identity file should also be attempted for the jump host, and there's little risk (aside from exposing the fingerprint of the additional public key to the intermediate host).
Comment 1 Damien Miller 2020-11-20 14:58:22 AEDT 
The problem with adding additional implicitly-passed options for ProxyJump is that they preclude fine-grained control via the configuration (as command-line takes precedence).

So, e.g. for implicitly passing -i it would become impossible to prefer another key for the subsequent connection(s) regardless of what is in ~/.ssh/config

Because of this, we prefer to pass only the bare minimum through the command-line and leave the rest up to user configs.
Comment 2 Damien Miller 2021-04-23 15:01:00 AEST 
closing resolved bugs as of 8.6p1 release