I have a network without a network connection to other networks. But
a socks server is dual homed between it and other networks. I can use
socks to ssh to other networks. I use ProxyCommand with the socks
aware connect.c program to connect out. All works great.
I discovered while trying to use the ssh-keyscan program that it does
not use the ProxyCommand configuration. At least in my testing it
does not return any information in this case. I also tried the Dante
'socksify nc $hostname 22' and I can get the connection banner. But
'ssh-keyscan -t rsa $hostname' returns nothing. Trying to run it
socksified similarly does not work either. I have not looked at the
code so I can't say for sure what is happening.
This prevents it from being able to connect to remote machines across
the socks server and extracting the remote host key. Darn. Not
completely terrible but it would be nice if this worked.
The return code does not reflect any failures. Shouldn't it? (I know
it is designed to run many connections at once and so some of them
might fail and bookkeeping can be an issue. I would also be worried
about 'sh -e' effects. Perhaps as an option to keep track of this?)
Request for two wishlist items.
1. Have ssh-keyscan use the ProxyCommand the same as ssh does. This
would enable ssh-keyscan to work exactly the same way that ssh
works.
2. If ssh-keyscan is unable to extract a key from a remote host to
reflect this in the return code if an option is present.
Does this sound reasonable?
This is from Debian 'unstable' with glibc-2.3.2.ds1-11 on an x86.
ssh -V
OpenSSH_3.8p1 Debian 1:3.8p1-3, SSH protocols 1.5/2.0, OpenSSL 0.9.7d 17 Mar
2004
Thanks
Bob