bugzilla-daemon at mindrot.org
2020-Jun-24 00:40 UTC
[Bug 3186] New: ProxyJump should include IdentityFile when specified
https://bugzilla.mindrot.org/show_bug.cgi?id=3186
Bug ID: 3186
Summary: ProxyJump should include IdentityFile when specified
Product: Portable OpenSSH
Version: 8.3p1
Hardware: Other
OS: Linux
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: david at systemoverlord.com
While ProxyJump (-J) is documented as not taking the configuration for
the destination host (which makes sense for most things, like port
forwarding, X11 forwarding, environment, etc.), it seems that it's not
uncommon to want to use the same SSH key to authenticate to both hosts.
In such cases, passing -i on the command line fails as it's not used
for authenticating to the jump host.
I believe that when -J and -i are both used on the command line, the
provided identity file should also be attempted for the jump host, and
there's little risk (aside from exposing the fingerprint of the
additional public key to the intermediate host).
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2020-Nov-20 03:58 UTC
[Bug 3186] ProxyJump should include IdentityFile when specified
https://bugzilla.mindrot.org/show_bug.cgi?id=3186
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |WONTFIX
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
The problem with adding additional implicitly-passed options for
ProxyJump is that they preclude fine-grained control via the
configuration (as command-line takes precedence).
So, e.g. for implicitly passing -i it would become impossible to prefer
another key for the subsequent connection(s) regardless of what is in
~/.ssh/config
Because of this, we prefer to pass only the bare minimum through the
command-line and leave the rest up to user configs.
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:01 UTC
[Bug 3186] ProxyJump should include IdentityFile when specified
https://bugzilla.mindrot.org/show_bug.cgi?id=3186
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|RESOLVED |CLOSED
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
Reasonably Related Threads
- [PATCH] permits multiple tags on a configuration block.
- [Bug 3570] New: Add substitution token for explicitly selected IdentityFile for ControlPath selection
- [Bug 2744] New: ProxyJump causes "Killed by signal 1" to be printed in terminal.
- [Bug 3163] New: teach ssh-keyscan to use ssh_config (plus options like ProxyJump)
- [Bug 3080] New: Document IdentityFile=none and clarify interaction of defaults with IdentitiesOnly