3334 – document `none` keyword for ProxyJump

Bug 3334 - document `none` keyword for ProxyJump

Summary: document `none` keyword for ProxyJump

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	Documentation (show other bugs)
Version:	8.6p1
Hardware:	Other All

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:
Blocks:	V_8_7
	Show dependency tree / graph

Reported:	2021-07-28 22:38 AEST by Christoph Anton Mitterer
Modified:	2022-02-25 13:57 AEDT (History)
CC List:	1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Christoph Anton Mitterer 2021-07-28 22:38:43 AEST

Hey.

I think ssh_config’s ProxyJump should also mention the apparently working `none` keyword (just like ProxyCommand).

This is needed to do things like:
Host login.example.org
   ProxyJump none

Host *.example.org
   ProxyJump login.example.org

to not end up in an endless loop.

Cheers,
Chris.

Comment 1 Darren Tucker 2021-08-06 15:08:00 AEST

(In reply to Christoph Anton Mitterer from comment #0)
> I think ssh_config’s ProxyJump should also mention the apparently
> working `none` keyword (just like ProxyCommand).

Yep, it's handled in parse_jump().  Added to man page.

> to not end up in an endless loop.

ssh will now detect trivial loops for you:

$ cat tmp 
Host *.example.org
   ProxyJump login.example.org
$ ./ssh -F tmp login.example.org
jumphost loop via login.example.org

You can still construct non-trivial ones though.

Thanks for the report.

Comment 2 Christoph Anton Mitterer 2021-08-07 02:53:23 AEST

> Host *.example.org
>    ProxyJump login.example.org
> 
> to not end up in an endless loop.


That should then also be documented,... plus more concrete what's actually happening like:

If one *just* have:

> Host *.example.org
>    ProxyJump login.example.org

=> it's clear... no recursion

but what when one has:

> Host login.example.org
>    SomeOtherStuff
> Host *.example.org
>    ProxyJump login.example.org

In that case, would SomeOtherStuff still be loaded?
Or similarly if login.example.org had another ProxyJump to another host?

Comment 3 Darren Tucker 2021-08-07 06:31:16 AEST

(In reply to Christoph Anton Mitterer from comment #2)
[...]
> but what when one has:
> 
> > Host login.example.org
> >    SomeOtherStuff
> > Host *.example.org
> >    ProxyJump login.example.org
> 
> In that case, would SomeOtherStuff still be loaded?

Yes.  The parser is first-match for each keyword.  From ssh_config(5):

     For each parameter, the first obtained value will be used.  The
     configuration files contain sections separated by Host specifications,
     and that section is only applied for hosts that match one of the patterns
     given in the specification.  The matched host name is usually the one
     given on the command line (see the CanonicalizeHostname option for
     exceptions).

     Since the first obtained value for each parameter is used, more host-
     specific declarations should be given near the beginning of the file, and
     general defaults at the end.

> Or similarly if login.example.org had another ProxyJump to another
> host?

Then it'll get used.   It'll only report a jumphost loop if the host, port and user are all end up all identical.

Comment 4 Damien Miller 2022-02-25 13:57:15 AEDT

closing bugs resolved before openssh-8.9