bugzilla-daemon at mindrot.org
2022-Apr-14 19:40 UTC
[Bug 3423] New: Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 Bug ID: 3423 Summary: Regression in ProxyJump functionality since 8.7p1 Product: Portable OpenSSH Version: 8.9p1 Hardware: amd64 OS: Linux Status: NEW Severity: minor Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: kellenhfox at gmail.com Hello folks, I for a number of years have had a reasonably complicated ssh config that heavily used ProxyJump. I noticed that this broke a while back, but only recently had the time to dig in and try and figure out what the cause was. Basically I was using the fact that ProxyJump was turned into a ProxyCommand to inject some amount of shell scripting to template out the destination of my ProxyJump An example that shows the error is as follows ``` Host ?m* ??m* ???m* ProxyJump $(echo %h|grep -oE '[0-9]+'|head -1).ssh.my.org ``` This would turn a command to ssh into `7m123` into `ssh -J 7.ssh.my.org 7m123` My bisecting leads me to believe that this change was part of dc72fd12af9d5398f4d9e159d671f9269c5b14d5 Specifically with the addition of the following to the parse_jump function in readconf.c ``` /* Remove comment and trailing whitespace */ if ((cp = strchr(orig, '#')) != NULL) *cp = '\0'; rtrim(orig); ``` So questions here is: Was my abuse of the ProxyJump directive wrong or Should the parsing of the ProxyJump directive allow arbitrary content including spaces to be passed along? -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-16 18:07 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 kellenhfox at gmail.com changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kellenhfox at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-20 22:33 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 Franck Lefebure <franck.lefebure at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |franck.lefebure at gmail.com --- Comment #1 from Franck Lefebure <franck.lefebure at gmail.com> --- I should have met this regression too I've juste upgreaded my workstation to Ubuntu 22.04 which brings openssh-client 8.9p1 Before I used openssh 8.2p1 Proxyjumps ssh connections seem broken. For exemple : host hudson Hostname hudson IdentityFile ~/.ssh/id_rsa Host oca Hostname 172.21.249.237 User flefebure IdentityFile ~/.ssh/dev0/id_rsa ProxyJump hudson I can go to "hudson", but not "oca" (the second key is ignored and a password is required) Same config with 8.2 and 8.6 is ok -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-23 05:19 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #2 from Damien Miller <djm at mindrot.org> --- Sorry, inserting shell characters is well outside of how we intend ProxyJump to be used and I don't think we can offer any promises of stability for uses of shell inside ProxyJump. I recommend converting your rules to ProxyCommand, where such things are welcomed :) -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-23 05:20 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 --- Comment #3 from Damien Miller <djm at mindrot.org> --- wrt Franck's issue - could you please attach a debug trace of a failed connection to the bug? It's almost impossible to tell what is happening without it. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-27 04:11 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net --- Comment #4 from Darren Tucker <dtucker at dtucker.net> --- (In reply to Franck Lefebure from comment #1)> I should have met this regression tooI just tried to reproduce this with -current (config adjusted to make local conditions): IdentitiesOnly yes host hudson Hostname 127.0.0.1 IdentityFile ~/.ssh/id_rsa_hudson Host oca Hostname 192.168.32.6 User flefebure IdentityFile ~/.ssh/dev0/id_rsa_oca ProxyJump hudson And it's trying the keys I would expect it to with that config: $ ssh -F /tmp/config -v oca [...] debug1: /tmp/config line 3: Applying options for hudson debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22. debug1: Connection established. debug1: identity file /home/dtucker/.ssh/id_rsa_hudson type -1 [...] debug1: Trying private key: /home/dtucker/.ssh/id_rsa_hudson [...] dtucker at 127.0.0.1's password: Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "password". [...] debug1: Authenticating to 192.168.32.6:22 as 'flefebure' debug1: Will attempt key: /home/dtucker/.ssh/dev0/id_rsa_oca explicit Is there anything else in that config (eg Match Final)? Could you please attach a debug "(ssh -vvv oca)"? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-29 14:45 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 --- Comment #5 from Franck Lefebure <franck.lefebure at gmail.com> --- Hi, Sorry for the delay, was far away from my home workstation last week. The verbose session is as attachment. I can see : debug1: Offering public key: /home/flefebure/.ssh/dev0/id_rsa RSA SHA256:iZnWi8F27Erf3DjHdsFGZInHsNwj4ZecgP+N7+TOZr8 explicit agent^M debug1: send_pubkey_test: no mutual signature algorithm^M debug1: Next authentication method: keyboard-interactive^M Probably not the same problem as kellenhfox at .. sorry -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2022-May-29 14:46 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 --- Comment #6 from Franck Lefebure <franck.lefebure at gmail.com> --- Created attachment 3595 --> https://bugzilla.mindrot.org/attachment.cgi?id=3595&action=edit debug proxy jum session -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2022-May-29 14:58 UTC
[Bug 3423] Regression in ProxyJump functionality since 8.7p1
https://bugzilla.mindrot.org/show_bug.cgi?id=3423 --- Comment #7 from Franck Lefebure <franck.lefebure at gmail.com> --- 'PubkeyAcceptedKeyTypes +ssh-rsa' did the trick. Sorry, it was trivial. Sorry kellenhfox for the thread squatting.. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.