bugzilla-daemon at mindrot.org
2020-Jun-24 00:40 UTC
[Bug 3186] New: ProxyJump should include IdentityFile when specified
bugzilla.mindrot.org/show_bug.cgi?id=3186 Bug ID: 3186 Summary: ProxyJump should include IdentityFile when specified Product: Portable OpenSSH Version: 8.3p1 Hardware: Other OS: Linux Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: david at systemoverlord.com While ProxyJump (-J) is documented as not taking the configuration for the destination host (which makes sense for most things, like port forwarding, X11 forwarding, environment, etc.), it seems that it's not uncommon to want to use the same SSH key to authenticate to both hosts. In such cases, passing -i on the command line fails as it's not used for authenticating to the jump host. I believe that when -J and -i are both used on the command line, the provided identity file should also be attempted for the jump host, and there's little risk (aside from exposing the fingerprint of the additional public key to the intermediate host). -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:58 UTC
[Bug 3186] ProxyJump should include IdentityFile when specified
bugzilla.mindrot.org/show_bug.cgi?id=3186 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |WONTFIX CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- The problem with adding additional implicitly-passed options for ProxyJump is that they preclude fine-grained control via the configuration (as command-line takes precedence). So, e.g. for implicitly passing -i it would become impossible to prefer another key for the subsequent connection(s) regardless of what is in ~/.ssh/config Because of this, we prefer to pass only the bare minimum through the command-line and leave the rest up to user configs. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:01 UTC
[Bug 3186] ProxyJump should include IdentityFile when specified
bugzilla.mindrot.org/show_bug.cgi?id=3186 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #2 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [PATCH] permits multiple tags on a configuration block.
- [Bug 3570] New: Add substitution token for explicitly selected IdentityFile for ControlPath selection
- [Bug 2744] New: ProxyJump causes "Killed by signal 1" to be printed in terminal.
- [Bug 3163] New: teach ssh-keyscan to use ssh_config (plus options like ProxyJump)
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly