bugzilla-daemon at mindrot.org
2023-Aug-31 17:30 UTC
[Bug 3610] New: Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Bug ID: 3610
Summary: Using ControlPath and the -J option
Product: Portable OpenSSH
Version: 8.9p1
Hardware: All
OS: Linux
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: mathieu.pousse at cloud-iam.com
Hi there,
I'm wondering if `ssh` does properly support the `-J` option to jump
through a bastion and the `ControlMaster` settings to reuse an existing
connection.
When I try to sequentially access two hosts with the same internal ip
(10.0.1.2) that are behind a different bastion (bastion-1 and
bastion-2), ssh is wrongly re-using the socket because it is "bound"
to
private ip (10.0.1.2) and it does not include any reference to the
bastion's ip:
```
$ ssh -o ControlPersist=60s -o ControlMaster=auto -o
ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no
ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-1:666 hostname
hostname-beyond-bastion-1
$ ssh -o ControlPersist=60s -o ControlMaster=auto -o
ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no
ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-2:666 hostname
hostname-beyond-bastion-1
$ ls /tmp/.ssh/control*
/tmp/.ssh/control-10.0.1.2-666-ubuntu
```
I have double checked but did not find anything to add in the
ControlPath to refer to the bastion ip.
I'm wondering if this is a known limitation or a bug / enhancement.
So far, my understanding is that the ControlMaster should not be used
when using the jumps.
Thanks in advance
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Sep-14 11:43 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Celeste Liu <CoelacanthusHex at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |CoelacanthusHex at gmail.com
--
You are receiving this mail because:
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-06 02:58 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
hm, we might need a token to expand to the jumphost sequence
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-06 03:22 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |dtucker at dtucker.net
Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
Attachment #3737| |ok?(dtucker at dtucker.net)
Flags| |
--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3737
--> https://bugzilla.mindrot.org/attachment.cgi?id=3737&action=edit
add %j expansion token for ControlPath (and others)
This adds %j as an token expansion for ControlPath and the other
directives that share its token expansions. It also appends %j to the
%C hash
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 01:55 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Darren Tucker <dtucker at dtucker.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
Attachment #3737|ok?(dtucker at dtucker.net) |ok+
Flags| |
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 02:22 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |FIXED
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in openssh-9.6, due around the end
of the year. Thanks!
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 12:21 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 --- Comment #4 from poussma <mathieu.pousse at cloud-iam.com> --- (In reply to Damien Miller from comment #3)> This has been committed and will be in openssh-9.6, due around the > end of the year. Thanks!Thanks for that ?? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2420] New: Race condition regarding ControlPersist and ControlMaster=auto
- Uniquely Identifying the Local TTY of an SSH Connection
- [Bug 2356] New: inheritance of options not working as documented + HostName leads to recursive reparsing isn't documented
- [Bug 2437] New: ssh with ControlMaster and ControlPath hangs on 2nd session in same terminal
- Security implications of using ControlMaster