openssh unix dev - Jul 2013 - Trouble with -W

I want to ssh from a client to a machine on a closed network via a
jumphost; let's call them {client,internal,jumphost}.example.com.  I
have authpf set up on the jumphost so that when logged in, I am allowed
to open TCP connections from the jumphost to port 22 on internal nodes.
This works well with port forwarding:

  des at client ~% ssh -L2222:internal.example.com:22 jumphost.example.com

but I'd rather use ProxyCommand, so I add something like this to my
~/.ssh/config:

  Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%l-%r@%h:%p

  Host jumphost jumphost.example.com
    HostName jumphost.example.com
    HostKeyAlias jumphost.example.com

  Host internal internal.example.com
    HostName internal.example.com
    HostKeyAlias internal.example.com
    ProxyCommand ssh -vW %h:%p jumphost.example.com

I then ssh to the jumphost, which starts authpf and opens a control
socket on the client:

  des at client ~% ssh jumphost.example.com
  Password:
  Last login: Fri Jul  5 12:44:48 2013 from client.example.com

  Hello des. You are authenticated from host "192.168.144.120"

I should now be able to ssh to the internal node like this:

  des at client ~% ssh -v internal.example.com

But this doesn't work:

  [...]
  debug1: Control socket "/home/des/.ssh/cm-client.example.com-des at
internal.example.com:22" does not exist
  debug1: Executing proxy command: exec ssh -vW internal.example.com:22
jumphost.example.com
  debug1: permanently_drop_suid: 1001
  debug1: identity file /home/des/.ssh/identity type -1
  debug1: identity file /home/des/.ssh/id_rsa type 1
  debug1: identity file /home/des/.ssh/id_dsa type -1
  OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
  debug1: Reading configuration data /home/des/.ssh/config
  debug1: Applying options for *
  debug1: Applying options for jumphost.example.com
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: auto-mux: Trying existing master
  ssh_exchange_identification: Connection closed by remote host

On the jumphost, I see this:

  Jul  5 12:46:16 jumphost -authpf-noip: non-interactive session connection for
authpf

My question is: why did sshd on the jumphost try to execute authpf?
Shouldn'it have just opened a TCP connection to internal.example.com:22,
as it does with simple port forwarding?  Is there a way to get around
this?

In this example, the client and server both run RHEL 6.4 with OpenSSH
5.3p1, while the jumphost runs FreeBSD 9.1 with OpenSSH 5.8p2.  I can
live with an answer that says "upgrade to 6.x on the jumphost", but
the
client and server are outside my control.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no

Dag-Erling Sm?rgrav wrote:
> My question is: why did sshd on the jumphost try to execute authpf?
You'll have to answer that yourself I'm afraid.. Maybe PAM is involved?

> Shouldn'it have just opened a TCP connection to
internal.example.com:22,
> as it does with simple port forwarding?  Is there a way to get around
> this?
Try playing with -N and -T.


//Peter

It looks like the problem is on the client side.  RedHat backported -W
to 5.3p1 and clearly didn't do it right; it asks for a session channel
instead of a direct-tcpip channel, so the server execs the user's shell.
I don't know if that's fixable.

DES
-- 
Dag-Erling Sm?rgrav - des at des.no