Hey. I think ssh_config’s ProxyJump should also mention the apparently working `none` keyword (just like ProxyCommand). This is needed to do things like: Host login.example.org ProxyJump none Host *.example.org ProxyJump login.example.org to not end up in an endless loop. Cheers, Chris.
(In reply to Christoph Anton Mitterer from comment #0) > I think ssh_config’s ProxyJump should also mention the apparently > working `none` keyword (just like ProxyCommand). Yep, it's handled in parse_jump(). Added to man page. > to not end up in an endless loop. ssh will now detect trivial loops for you: $ cat tmp Host *.example.org ProxyJump login.example.org $ ./ssh -F tmp login.example.org jumphost loop via login.example.org You can still construct non-trivial ones though. Thanks for the report.
> Host *.example.org > ProxyJump login.example.org > > to not end up in an endless loop. That should then also be documented,... plus more concrete what's actually happening like: If one *just* have: > Host *.example.org > ProxyJump login.example.org => it's clear... no recursion but what when one has: > Host login.example.org > SomeOtherStuff > Host *.example.org > ProxyJump login.example.org In that case, would SomeOtherStuff still be loaded? Or similarly if login.example.org had another ProxyJump to another host?
(In reply to Christoph Anton Mitterer from comment #2) [...] > but what when one has: > > > Host login.example.org > > SomeOtherStuff > > Host *.example.org > > ProxyJump login.example.org > > In that case, would SomeOtherStuff still be loaded? Yes. The parser is first-match for each keyword. From ssh_config(5): For each parameter, the first obtained value will be used. The configuration files contain sections separated by Host specifications, and that section is only applied for hosts that match one of the patterns given in the specification. The matched host name is usually the one given on the command line (see the CanonicalizeHostname option for exceptions). Since the first obtained value for each parameter is used, more host- specific declarations should be given near the beginning of the file, and general defaults at the end. > Or similarly if login.example.org had another ProxyJump to another > host? Then it'll get used. It'll only report a jumphost loop if the host, port and user are all end up all identical.
closing bugs resolved before openssh-8.9