Mailing List Archive

[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

kellenhfox@gmail.com changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |kellenhfox@gmail.com

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Franck Lefebure <franck.lefebure@gmail.com> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |franck.lefebure@gmail.com

--- Comment #1 from Franck Lefebure <franck.lefebure@gmail.com> ---
I should have met this regression too

I've juste upgreaded my workstation to Ubuntu 22.04 which brings
openssh-client 8.9p1
Before I used openssh 8.2p1
Proxyjumps ssh connections seem broken.
For exemple :

host hudson
Hostname hudson
IdentityFile ~/.ssh/id_rsa

Host oca
Hostname 172.21.249.237
User flefebure
IdentityFile ~/.ssh/dev0/id_rsa
ProxyJump hudson


I can go to "hudson", but not "oca" (the second key is ignored and a
password is required)
Same config with 8.2 and 8.6 is ok

--
You are receiving this mail because:
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Damien Miller <djm@mindrot.org> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |djm@mindrot.org

--- Comment #2 from Damien Miller <djm@mindrot.org> ---
Sorry, inserting shell characters is well outside of how we intend
ProxyJump to be used and I don't think we can offer any promises of
stability for uses of shell inside ProxyJump.

I recommend converting your rules to ProxyCommand, where such things
are welcomed :)

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #3 from Damien Miller <djm@mindrot.org> ---
wrt Franck's issue - could you please attach a debug trace of a failed
connection to the bug? It's almost impossible to tell what is happening
without it.

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Darren Tucker <dtucker@dtucker.net> changed:

What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker@dtucker.net

--- Comment #4 from Darren Tucker <dtucker@dtucker.net> ---
(In reply to Franck Lefebure from comment #1)
> I should have met this regression too

I just tried to reproduce this with -current (config adjusted to make
local conditions):

IdentitiesOnly yes

host hudson
Hostname 127.0.0.1
IdentityFile ~/.ssh/id_rsa_hudson

Host oca
Hostname 192.168.32.6
User flefebure
IdentityFile ~/.ssh/dev0/id_rsa_oca
ProxyJump hudson

And it's trying the keys I would expect it to with that config:

$ ssh -F /tmp/config -v oca
[...]
debug1: /tmp/config line 3: Applying options for hudson
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/dtucker/.ssh/id_rsa_hudson type -1
[...]
debug1: Trying private key: /home/dtucker/.ssh/id_rsa_hudson
[...]
dtucker@127.0.0.1's password:
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "password".
[...]
debug1: Authenticating to 192.168.32.6:22 as 'flefebure'
debug1: Will attempt key: /home/dtucker/.ssh/dev0/id_rsa_oca explicit

Is there anything else in that config (eg Match Final)? Could you
please attach a debug "(ssh -vvv oca)"?

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #5 from Franck Lefebure <franck.lefebure@gmail.com> ---
Hi,
Sorry for the delay, was far away from my home workstation last week.
The verbose session is as attachment.
I can see :

debug1: Offering public key: /home/flefebure/.ssh/dev0/id_rsa RSA
SHA256:iZnWi8F27Erf3DjHdsFGZInHsNwj4ZecgP+N7+TOZr8 explicit agent^M
debug1: send_pubkey_test: no mutual signature algorithm^M
debug1: Next authentication method: keyboard-interactive^M

Probably not the same problem as kellenhfox@.. sorry

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #6 from Franck Lefebure <franck.lefebure@gmail.com> ---
Created attachment 3595
--> https://bugzilla.mindrot.org/attachment.cgi?id=3595&action=edit
debug proxy jum session

--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs
[Bug 3423] Regression in ProxyJump functionality since 8.7p1 [ In reply to ]
https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #7 from Franck Lefebure <franck.lefebure@gmail.com> ---
'PubkeyAcceptedKeyTypes +ssh-rsa' did the trick.
Sorry, it was trivial.
Sorry kellenhfox for the thread squatting..

--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
_______________________________________________
openssh-bugs mailing list
openssh-bugs@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-bugs