openssh bugs - May 2022 - [Bug 3423] Regression in ProxyJump functionality since 8.7p1

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

            Bug ID: 3423
           Summary: Regression in ProxyJump functionality since 8.7p1
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: kellenhfox at gmail.com

Hello folks,

I for a number of years have had a reasonably complicated ssh config
that heavily used ProxyJump. I noticed that this broke a while back,
but only recently had the time to dig in and try and figure out what
the cause was.

Basically I was using the fact that ProxyJump was turned into a
ProxyCommand to inject some amount of shell scripting to template out
the destination of my ProxyJump

An example that shows the error is as follows

```
Host ?m* ??m* ???m*
  ProxyJump $(echo %h|grep -oE '[0-9]+'|head -1).ssh.my.org
```

This would turn a command to ssh into `7m123` into `ssh -J 7.ssh.my.org
7m123`

My bisecting leads me to believe that this change was part of
dc72fd12af9d5398f4d9e159d671f9269c5b14d5

Specifically with the addition of the following to the parse_jump
function in readconf.c

```
        /* Remove comment and trailing whitespace */
        if ((cp = strchr(orig, '#')) != NULL)
                *cp = '\0';
        rtrim(orig);
```

So questions here is: Was my abuse of the ProxyJump directive wrong or
Should the parsing of the ProxyJump directive allow arbitrary content
including spaces to be passed along?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

kellenhfox at gmail.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |kellenhfox at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Franck Lefebure <franck.lefebure at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |franck.lefebure at gmail.com

--- Comment #1 from Franck Lefebure <franck.lefebure at gmail.com> ---
I should have met this regression too

I've juste upgreaded my workstation to Ubuntu 22.04 which brings
openssh-client 8.9p1
Before I used openssh 8.2p1
Proxyjumps ssh connections seem broken.
For exemple :

host hudson
  Hostname hudson
  IdentityFile ~/.ssh/id_rsa

Host oca
  Hostname 172.21.249.237
  User flefebure
  IdentityFile ~/.ssh/dev0/id_rsa
  ProxyJump hudson


I can go to "hudson", but not "oca" (the second key is
ignored and a
password is required)
Same config with 8.2 and 8.6 is ok

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Sorry, inserting shell characters is well outside of how we intend
ProxyJump to be used and I don't think we can offer any promises of
stability for uses of shell inside ProxyJump.

I recommend converting your rules to ProxyCommand, where such things
are welcomed :)

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
wrt Franck's issue - could you please attach a debug trace of a failed
connection to the bug? It's almost impossible to tell what is happening
without it.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
(In reply to Franck Lefebure from comment #1)
> I should have met this regression too
I just tried to reproduce this with -current (config adjusted to make
local conditions):

IdentitiesOnly yes

host hudson
  Hostname 127.0.0.1
  IdentityFile ~/.ssh/id_rsa_hudson

Host oca
  Hostname 192.168.32.6
  User flefebure
  IdentityFile ~/.ssh/dev0/id_rsa_oca
  ProxyJump hudson

And it's trying the keys I would expect it to with that config:

$ ssh -F /tmp/config -v oca
[...]
debug1: /tmp/config line 3: Applying options for hudson
debug1: Connecting to 127.0.0.1 [127.0.0.1] port 22.
debug1: Connection established.
debug1: identity file /home/dtucker/.ssh/id_rsa_hudson type -1
[...]
debug1: Trying private key: /home/dtucker/.ssh/id_rsa_hudson
[...]
dtucker at 127.0.0.1's password: 
Authenticated to 127.0.0.1 ([127.0.0.1]:22) using "password".
[...]
debug1: Authenticating to 192.168.32.6:22 as 'flefebure'
debug1: Will attempt key: /home/dtucker/.ssh/dev0/id_rsa_oca  explicit

Is there anything else in that config (eg Match Final)?  Could you
please attach a debug "(ssh -vvv oca)"?

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #5 from Franck Lefebure <franck.lefebure at gmail.com> ---
Hi,
Sorry for the delay, was far away from my home workstation last week.
The verbose session is as attachment.
I can see :

debug1: Offering public key: /home/flefebure/.ssh/dev0/id_rsa RSA
SHA256:iZnWi8F27Erf3DjHdsFGZInHsNwj4ZecgP+N7+TOZr8 explicit agent^M
debug1: send_pubkey_test: no mutual signature algorithm^M
debug1: Next authentication method: keyboard-interactive^M

Probably not the same problem as kellenhfox at .. sorry

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #6 from Franck Lefebure <franck.lefebure at gmail.com> ---
Created attachment 3595
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3595&action=edit
debug proxy jum session

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3423

--- Comment #7 from Franck Lefebure <franck.lefebure at gmail.com> ---
'PubkeyAcceptedKeyTypes +ssh-rsa' did the trick.
Sorry, it was trivial.
Sorry kellenhfox for the thread squatting..

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.