openssh bugs - Jan 2019 - [Bug 2951] New: command line key options ignored for jumphost

https://bugzilla.mindrot.org/show_bug.cgi?id=2951

            Bug ID: 2951
           Summary: command line key options ignored for jumphost
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: chris.kiick at sailpoint.com

The -J option of ssh allows connecting via a "jump" host.  However, I
am unable to specify a key to use for the jump host on the command
line.

Command:
> ssh -i keyfile -J user at bastion.host user at final.host
Expected behavior:
ssh authenticates to jumphost with key in keyfile, then proceeds to
connect to final host.  Final host may use same or different key.

Actual behavior:
user at bastion.host: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host

Using verbose options it is clear that keyfile is never offered to the
bastion host during authentication.  Adding -o AddKeysToAgent=yes has
no affect. Putting AddKeysToAgent in ssh config file also has no
affect. It seems clear that any options relating to keys are ignored
when connecting to the jumphost.  The only way to have a keyfile for
the jumphost is to pre-add it to the ssh-agent with ssh-add, or modify
the ssh config file.  There are use cases where this is not desirable
(eg use in scripts, keys are rotated or expired often, ssh-agent is not
running, local host account is shared, etc).

The intuitive behavior would be for the -i and relevant -o options to
be applied before connecting to the jumphost.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2951

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org
         Resolution|---                         |WONTFIX

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
I see it the exact opposite way: the ssh command connects you to the
final host and the jump host, being an option, doesn't receive any of
the other options. Note that there may be multiple chained jumphosts
(-J host1,host2) so it really isn't tenable to plumb all the
command-line options through to them.

We have to pick one or the other interpretations, and this is the one
we've gone with.

If you want specific configuration for a jump host, then you'll have to
use ~/.ssh/config sorry.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2951

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.