bugzilla-daemon at mindrot.org
2023-Apr-01 20:47 UTC
[Bug 3555] New: ForwardAgent doesn't work under Match canonical
https://bugzilla.mindrot.org/show_bug.cgi?id=3555 Bug ID: 3555 Summary: ForwardAgent doesn't work under Match canonical Product: Portable OpenSSH Version: 8.4p1 Hardware: amd64 OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: gomez404 at gmail.com When using CanonicalizeHostname, the ForwardAgent directive doesn't seem to work under Match canonical. e.g. ----- Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Host * ForwardAgent no CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes ---- When I connect to foo.mydomain.co.uk through the jumphost bastion.mydomain.co.uk, ssh-agent is not forwarded. If I change the ForwardAgent directive under Host * to 'yes', then it does get forwarded. Therefore, it seems that the ForwardAgent directive is not being read when it is under Match canonical. I have not been able to test on newer versions of OpenSSH as I could not figure out how to compile it. There is no configure file. -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Apr-02 23:55 UTC
[Bug 3555] ForwardAgent doesn't work under Match canonical
https://bugzilla.mindrot.org/show_bug.cgi?id=3555 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WORKSFORME Status|NEW |RESOLVED CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- This is working as intended. When hostname canonicalisation is enabled, the configuration is parsed twice. An initial pass to collect options and then a second pass after the hostnames are finalised. Most configuration options operate as "first match wins" So what's happening here is that, on the first pass, your the "Host *" block is being parsed and the ForwardAgent option is being set to "no". On the subsequent pass, the ForwardAgent directive in the "Match canonical" block is ignored because it's already set. You can avoid this by only setting the fallback ForwardAgent on the final pass, e.g. ---- Host bastion ProxyJump none Match canonical ProxyJump bastion ForwardAgent yes Match all CanonicalizeHostname always CanonicalDomains mydomain.co.uk CanonicalizeMaxDots 0 CanonicalizeFallbackLocal yes Match canonical all ForwardAgent no -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
Maybe Matching Threads
- For the default of CanonicalizeFallbackLocal
- CanonicalHostname and ssh connections through a jumphost
- Unintended key info disclosure via ForwardAgent?
- [Bug 2438] New: Warn about using ForwardAgent with all hosts
- ability to select which identity to forward when using "ForwardAgent" ?