Hello folks, I for a number of years have had a reasonably complicated ssh config that heavily used ProxyJump. I noticed that this broke a while back, but only recently had the time to dig in and try and figure out what the cause was. Basically I was using the fact that ProxyJump was turned into a ProxyCommand to inject some amount of shell scripting to template out the destination of my ProxyJump An example that shows the error is as follows ``` Host ?m* ??m* ???m* ProxyJump $(echo %h|grep -oE '[0-9]+'|head -1).ssh.my.org ``` This would turn a command to ssh into `7m123` into `ssh -J 7.ssh.my.org 7m123` My bisecting leads me to believe that this change was part of dc72fd12af9d5398f4d9e159d671f9269c5b14d5 Specifically with the addition of the following to the parse_jump function in readconf.c ``` /* Remove comment and trailing whitespace */ if ((cp = strchr(orig, '#')) != NULL) *cp = '\0'; rtrim(orig); ``` So questions here is: Was my abuse of the ProxyJump directive wrong or Should the parsing of the ProxyJump directive allow arbitrary content including spaces to be passed along?
I should have met this regression too I've juste upgreaded my workstation to Ubuntu 22.04 which brings openssh-client 8.9p1 Before I used openssh 8.2p1 Proxyjumps ssh connections seem broken. For exemple : host hudson Hostname hudson IdentityFile ~/.ssh/id_rsa Host oca Hostname 172.21.249.237 User flefebure IdentityFile ~/.ssh/dev0/id_rsa ProxyJump hudson I can go to "hudson", but not "oca" (the second key is ignored and a password is required) Same config with 8.2 and 8.6 is ok
Sorry, inserting shell characters is well outside of how we intend ProxyJump to be used and I don't think we can offer any promises of stability for uses of shell inside ProxyJump. I recommend converting your rules to ProxyCommand, where such things are welcomed :)
wrt Franck's issue - could you please attach a debug trace of a failed connection to the bug? It's almost impossible to tell what is happening without it.
(In reply to Franck Lefebure from comment #1) > I should have met this regression too I just tried to reproduce this with -current (config adjusted to make local conditions): IdentitiesOnly yes host hudson Hostname 127.0.0.1 IdentityFile ~/.ssh/id_rsa_hudson Host oca Hostname 192.168.32.6 User flefebure IdentityFile ~/.ssh/dev0/id_rsa_oca ProxyJump hudson And it's trying the keys I would expect it to with that config: $ ssh -F /tmp/config -v oca [...] debug1: /tmp/config line 3: Applying options for hudson debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/dtucker/.ssh/id_rsa_hudson type -1 [...] debug1: Trying private key: /home/dtucker/.ssh/id_rsa_hudson [...] dtucker@127.0.0.1's password: Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "password". [...] debug1: Authenticating to 192.168.32.6:22 as 'flefebure' debug1: Will attempt key: /home/dtucker/.ssh/dev0/id_rsa_oca explicit Is there anything else in that config (eg Match Final)? Could you please attach a debug "(ssh -vvv oca)"?
Hi, Sorry for the delay, was far away from my home workstation last week. The verbose session is as attachment. I can see : debug1: Offering public key: /home/flefebure/.ssh/dev0/id_rsa RSA SHA256:iZnWi8F27Erf3DjHdsFGZInHsNwj4ZecgP+N7+TOZr8 explicit agent^M debug1: send_pubkey_test: no mutual signature algorithm^M debug1: Next authentication method: keyboard-interactive^M Probably not the same problem as kellenhfox@.. sorry
Created attachment 3595 [details] debug proxy jum session
'PubkeyAcceptedKeyTypes +ssh-rsa' did the trick. Sorry, it was trivial. Sorry kellenhfox for the thread squatting..