openssh bugs - Feb 2012 - [Bug 1977] New: ProxyCommand seems to no execute shell commands

https://bugzilla.mindrot.org/show_bug.cgi?id=1977

             Bug #: 1977
           Summary: ProxyCommand seems to no execute shell commands
    Classification: Unclassified
           Product: Portable OpenSSH
           Version: 5.9p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: ssh
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: calestyo at scientia.net


Hi.

The manpage says to ProxyCommand:
>The command string extends to the end of the line,
>and is executed with the user's shell.
So I'd have assumed that the following works:
Host *.exmaple.org
        ProxyCommand ssh -W %h:%p gateway1.exmaple.org || ssh -W %h:%p
gateway2.exmaple.org

But it doesn't, even not in modifications like:
        ProxyCommand { ssh -W %h:%p gateway1.exmaple.org ; } || { ssh
-W %h:%p gateway2.exmaple.org ; }
or so.

Is this intentional or a bug?

What works however is explicitly invoking another shell:
        ProxyCommand sh -c "ssh -W %h:%p gateway1.exmaple.org || ssh -W
%h:%p gateway2.exmaple.org"
but this shouldn't be necessary, should it?

Thx,
Chris.

btw: I guess my intention is clear, if the gateway1 fails, use
gateway2. Is there a better way for doing this?

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1977

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2012-02-24 11:03:30
EST ---
I don't think that proxy command will work the way you think it will -
if the first ssh invocation emits any output or consumes any input then
it will break the client's handshake before the second ssh starts.

Anyway, I can't diagnose what's going wrong here without a full log
trace (ssh -vvv ...).

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1977

--- Comment #2 from Christoph Anton Mitterer <calestyo at scientia.net>
2012-03-03 10:03:29 EST ---
>I don't think that proxy command will work the way you think it
>will - if the first ssh invocation emits any output or consumes
>any input then it will break the client's handshake before the
>second ssh starts.
Well at least it works exactly as wished, when doing it with:
sh -c "ssh -W %h:%p gateway1.exmaple.org || ssh -W
%h:%p gateway2.exmaple.org"


Here is the log output:
$ ssh -vvv gar-ws-etp71.garching.physik.uni-muenchen.de 
OpenSSH_5.9p1 Debian-3, OpenSSL 1.0.0g 18 Jan 2012
debug1: Reading configuration data /home/calestyo/.ssh/config
debug1: /home/calestyo/.ssh/config line 35: Applying options for
*.garching.physik.uni-muenchen.de
debug1: /home/calestyo/.ssh/config line 41: Applying options for
*.uni-muenchen.de
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Executing proxy command: exec ssh -W
gar-ws-etp71.garching.physik.uni-muenchen.de:22
gar-sv-login01.garching.physik.uni-muenchen.de  ||  ssh -W
gar-ws-etp71.garching.physik.uni-muenchen.de:22
gar-sv-login02.garching.physik.uni-muenchen.de
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/calestyo/.ssh/id_rsa" as a RSA1 public
key
debug1: identity file /home/calestyo/.ssh/id_rsa type 1
debug1: Checking blacklist file /usr/share/ssh/blacklist.RSA-4096
debug1: Checking blacklist file /etc/ssh/blacklist.RSA-4096
debug1: identity file /home/calestyo/.ssh/id_rsa-cert type -1
debug1: identity file /home/calestyo/.ssh/id_dsa type -1
debug1: identity file /home/calestyo/.ssh/id_dsa-cert type -1
debug3: Incorrect RSA1 identifier
debug3: Could not load "/home/calestyo/.ssh/id_ecdsa" as a RSA1 public
key
debug1: identity file /home/calestyo/.ssh/id_ecdsa type 3
debug1: Checking blacklist file /usr/share/ssh/blacklist.ECDSA-521
debug1: Checking blacklist file /etc/ssh/blacklist.ECDSA-521
debug1: identity file /home/calestyo/.ssh/id_ecdsa-cert type -1
debug1: permanently_drop_suid: 1000
ssh: connect to host gar-sv-login01.garching.physik.uni-muenchen.de
port 22: Connection refused
ssh_exchange_identification: Connection closed by remote host
$


HTH,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1977

--- Comment #3 from Damien Miller <djm at mindrot.org> 2012-03-30 11:57:51
EST ---
I think I've figured out your problem:

        xasprintf(&tmp, "exec %s", proxy_command);

This is done to avoid a lingering shell for the life of the connection,
while still allowing shell expansion of environment variables, etc. If
you proxy command requires other shell features then you'll need to
provide one explicitly.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=1977

--- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.net>
2012-03-30 23:14:51 EST ---
So you basically mean,... it doesn't work by intention, right?

Could you then please update the documentation to reflect this?
I.e. that [just] commands can be executed, but that env-variables (and
whatever else works) are expanded. :)

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.