openssh bugs - Apr 2023 - [Bug 3555] New: ForwardAgent doesn't work under Match canonical

https://bugzilla.mindrot.org/show_bug.cgi?id=3555

            Bug ID: 3555
           Summary: ForwardAgent doesn't work under Match canonical
           Product: Portable OpenSSH
           Version: 8.4p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: gomez404 at gmail.com

When using CanonicalizeHostname, the ForwardAgent directive doesn't
seem to work under Match canonical.

e.g.
-----
Host bastion
    ProxyJump none

Match canonical
    ProxyJump bastion
    ForwardAgent yes

Host *
    ForwardAgent no
    CanonicalizeHostname always
    CanonicalDomains mydomain.co.uk
    CanonicalizeMaxDots 0
    CanonicalizeFallbackLocal yes
----

When I connect to foo.mydomain.co.uk through the jumphost
bastion.mydomain.co.uk, ssh-agent is not forwarded.

If I change the ForwardAgent directive under Host * to 'yes', then it
does get forwarded. Therefore, it seems that the ForwardAgent directive
is not being read when it is under Match canonical.

I have not been able to test on newer versions of OpenSSH as I could
not figure out how to compile it. There is no configure file.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3555

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is working as intended.

When hostname canonicalisation is enabled, the configuration is parsed
twice. An initial pass to collect options and then a second pass after
the hostnames are finalised. Most configuration options operate as
"first match wins"

So what's happening here is that, on the first pass, your the "Host
*"
block is being parsed and the ForwardAgent option is being set to
"no".
On the subsequent pass, the ForwardAgent directive in the "Match
canonical" block is ignored because it's already set.

You can avoid this by only setting the fallback ForwardAgent on the
final pass, e.g.
----
Host bastion
    ProxyJump none

Match canonical
    ProxyJump bastion
    ForwardAgent yes

Match all
    CanonicalizeHostname always
    CanonicalDomains mydomain.co.uk
    CanonicalizeMaxDots 0
    CanonicalizeFallbackLocal yes

Match canonical all
    ForwardAgent no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.