openssh bugs - May 2011 - [Bug 1898] New: possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

           Summary: possible unreasonable behaviour when using
                    ProxyCommand with multiple IdentityFile(s)
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: calestyo at scientia.net


Hi.

Maybe the following is an issue.
Consider the following scenario and ~/.ssh/config snippet:
-------------------------
Host login.example.org
        User loginUser
        ProxyCommand none

Host *.example.org
        User root
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p
-------------------------

The idea is that access to all nodes (but the login node) of
example.org is only possible via login.example.org.
The interesting part is, that different keys are used, namely the
default id_rsa to authenticate on login.example.org and
internal_example_org_key.id_rsa, which is only used internally (e.g.
because policy mandates this).

I'd have expected, that the above works, and that the default id_rsa is
used for login.example.org (as no IdentityFile is specified) and the
other key in the remaining cases.
It does however not.
It works if I:
1) Use ssh-agent (and it that one has all the keys loaded)
2) Use:
Host login.example.org
        User loginUser
        IdentityFile ~/.ssh/id_rsa
        ProxyCommand none
3) Or:
Host *.example.org
        User root
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p


Seems as if the inheritance wouldn't work for the default identity
file, unless its explicitly specified.


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-05-05 16:26:41
EST ---
I think you are misunderstanding how the configuration is applied by
Host directives. Overrides are *per-configuration item*

In your first case you are not specifying an IdentityFile in your
login.example.org block, so it is unset when the also-matching
*.example.org block is applied. To do what you want, you should specify
your normal IdentityFiles in the login.example.org block

Host login.example.org
        User loginUser
        ProxyCommand none
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/id_dsa
        IdentityFile ~/.ssh/id_ecdsa

Host *.example.org
        User root
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p

The rules for IdentityFile are a little different to most. IdentityFile
adds to the list of keys, whereas most other directives are *first
match wins*. This leads to the slightly undesirable effect of appending
~/.ssh/internal_example_org_key.id_rsa to the list of keys, even for
login.example.org. We can't avoid that unless we support negated
matching in Host blocks.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net>
2011-05-06 07:09:54 EST ---
Well I guess I understood how it works and also that it's
"appended"
multiple IdentityFile statements are used.

And especially because of this, I think it should work even _without_
specifying an additional 
IdentityFile ~/.ssh/id_rsa
... or the documentation should be changed.

The ssh_config manpage says the default (i.e. when nothing is specified
[0])
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_ecdsa

Right?

Ok, now in the login.example.org block, nothing is specified, so I'd
expect this default to be taken, and then the ones from the other
blocks _appended_.


[0] Now currently it seems like the meaning is:
"These are taken as defaults, if after all block merging at no block an
IdentityFile was specified."

Personally I consider it this way less reasonable, but if you don't
agree with that and/or can't change it easily, I'd suggest that you add
to the documentation, that the default is only applied, _AFTER_ all
block merging was done.


Of course all this is not a big issue ;-) ... but it took me quite some
time to find the reason (which I eventually did before writing this bug
report),... especially as with ssh-agent under some GUI (e.g. GNOME or
so), everything worked just fine; while under plain console, it didn't.


Cheers,
Chris

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1845

--- Comment #3 from Damien Miller <djm at mindrot.org> 2011-06-03 10:33:52
EST ---
ok, I have implemented negated host matching so starting with
openssh-5.9 you can express your configuration as:

Host login.example.org
        User loginUser

Host *.example.org !login.example.org
        User root
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p

I'll update ssh_config(5) to describe the behaviour better too.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Christoph Anton Mitterer <calestyo at scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.net>
2011-08-14 04:24:02 EST ---
Hi Daimen.

Well this is a very nice feature, but I think the unclear documentation
remains (and I asked several friends of mine how they'd interpret the
manpage an they've agreed).

It says "The default is ~/.ssh/identity for protocol version 1, and
~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol version
2." as well as "It is possible to have multiple identity files
specified in configuration files; all these identities will be tried in
sequence."
So as I've mentioned in Comment 2 one should at least add something
like "These are taken as defaults, if after all block merging at no
block an IdentityFile was specified." (or a better wording of this).


Regarding your added feature could you - in addition - add something
like this:
Host a.foo.example
   bla

Host b.foo.example!
   bla

Host c.foo.example
   bla

Host *.foo.example !a.foo.example.
   bla

Now "a" wouldn't match the wildcard, as you've already
implemented it.
"c" would match.
My idea of "b" (where the exclamation mark is at the end of the
hostname) is that when host matches that is postfixed by an "!"
matching stops here (after that block) for that name. So effectively,
*.foo.example wouldn't be applied for "b".
Now you can argue that this is similar to what you've done, but the
advantage is, that if you have many hostnames to be excluded (e.g. a.
to z. or even more) you don't have to re-write them all at the wildcard
block (which is quite error-prone).

You should however not remove your !-prefix syntax... IMHO both would
be quite reasonable.


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1930

--- Comment #5 from Damien Miller <djm at mindrot.org> 2011-09-06 10:34:15
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

--- Comment #6 from Damien Miller <djm at mindrot.org> 2011-09-06 10:36:28
EST ---
Retarget unresolved bugs/features to 6.0 release

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1845                        |

--- Comment #7 from Damien Miller <djm at mindrot.org> 2011-09-06 10:39:02
EST ---
Retarget unresolved bugs/features to 6.0 release

(try again - bugzilla's "change several" isn't)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|REOPENED                    |RESOLVED
         Resolution|                            |FIXED

--- Comment #8 from Damien Miller <djm at mindrot.org> 2011-11-04 11:56:13
EST ---
I don't think there is a need to further clarify the IdentityFile
documentation with regard to how the default is applied - the rules
here are the same as all other configuration items.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Christoph Anton Mitterer <calestyo at scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #9 from Christoph Anton Mitterer <calestyo at scientia.net>
2012-02-07 03:03:09 EST ---
Hey Damien.

Two notes:

a) Thought about adding such a "stop-matching-here" syntax, as
I've
proposed in comment #14?

b) You're right with respect to the documentation, more or less ;-)
I know understood how you meant the merging to be... but then the
following might sense to be added:
Now you say:
>     ssh(1) obtains configuration data from the following sources
>     in the fol?
>     lowing order:
>
>           1.   command-line options
>           2.   user's configuration file (~/.ssh/config)
>           3.   system-wide configuration file (/etc/ssh/ssh_config)
etc..

If you add a:
4. ONLY if none of the ones before specified an options, that option's
default is used.

Then the thing I've always meant (why is the default of IdentityFile
not added) is clear.


Cheers,
Chris

btw: reopening in order to get your attention,.. just close it again if
you disagree :)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|                            |1986

--- Comment #10 from Damien Miller <djm at mindrot.org> 2012-02-24
10:34:24 EST ---
Retarget from 6.0 to 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Blocks|1930                        |

--- Comment #11 from Damien Miller <djm at mindrot.org> 2012-02-24
10:38:02 EST ---
Retarget 6.0 => 6.1

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.