bugzilla-daemon at mindrot.org
2023-Aug-31 17:30 UTC
[Bug 3610] New: Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Bug ID: 3610 Summary: Using ControlPath and the -J option Product: Portable OpenSSH Version: 8.9p1 Hardware: All OS: Linux Status: NEW Severity: normal Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: mathieu.pousse at cloud-iam.com Hi there, I'm wondering if `ssh` does properly support the `-J` option to jump through a bastion and the `ControlMaster` settings to reuse an existing connection. When I try to sequentially access two hosts with the same internal ip (10.0.1.2) that are behind a different bastion (bastion-1 and bastion-2), ssh is wrongly re-using the socket because it is "bound" to private ip (10.0.1.2) and it does not include any reference to the bastion's ip: ``` $ ssh -o ControlPersist=60s -o ControlMaster=auto -o ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-1:666 hostname hostname-beyond-bastion-1 $ ssh -o ControlPersist=60s -o ControlMaster=auto -o ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-2:666 hostname hostname-beyond-bastion-1 $ ls /tmp/.ssh/control* /tmp/.ssh/control-10.0.1.2-666-ubuntu ``` I have double checked but did not find anything to add in the ControlPath to refer to the bastion ip. I'm wondering if this is a known limitation or a bug / enhancement. So far, my understanding is that the ControlMaster should not be used when using the jumps. Thanks in advance -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Sep-14 11:43 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Celeste Liu <CoelacanthusHex at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |CoelacanthusHex at gmail.com -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-06 02:58 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org --- Comment #1 from Damien Miller <djm at mindrot.org> --- hm, we might need a token to expand to the jumphost sequence -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-06 03:22 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |dtucker at dtucker.net Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Attachment #3737| |ok?(dtucker at dtucker.net) Flags| | --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3737 --> https://bugzilla.mindrot.org/attachment.cgi?id=3737&action=edit add %j expansion token for ControlPath (and others) This adds %j as an token expansion for ControlPath and the other directives that share its token expansions. It also appends %j to the %C hash -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 01:55 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Darren Tucker <dtucker at dtucker.net> changed: What |Removed |Added ---------------------------------------------------------------------------- Attachment #3737|ok?(dtucker at dtucker.net) |ok+ Flags| | -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 02:22 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |FIXED --- Comment #3 from Damien Miller <djm at mindrot.org> --- This has been committed and will be in openssh-9.6, due around the end of the year. Thanks! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at mindrot.org
2023-Oct-12 12:21 UTC
[Bug 3610] Using ControlPath and the -J option
https://bugzilla.mindrot.org/show_bug.cgi?id=3610 --- Comment #4 from poussma <mathieu.pousse at cloud-iam.com> --- (In reply to Damien Miller from comment #3)> This has been committed and will be in openssh-9.6, due around the > end of the year. Thanks!Thanks for that ?? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
Reasonably Related Threads
- [Bug 2420] New: Race condition regarding ControlPersist and ControlMaster=auto
- Uniquely Identifying the Local TTY of an SSH Connection
- [Bug 2356] New: inheritance of options not working as documented + HostName leads to recursive reparsing isn't documented
- [Bug 2437] New: ssh with ControlMaster and ControlPath hangs on 2nd session in same terminal
- Security implications of using ControlMaster