openssh bugs - Aug 2023 - [Bug 3610] New: Using ControlPath and the -J option

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

            Bug ID: 3610
           Summary: Using ControlPath and the -J option
           Product: Portable OpenSSH
           Version: 8.9p1
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mathieu.pousse at cloud-iam.com

Hi there,

I'm wondering if `ssh` does properly support the `-J` option to jump
through a bastion and the `ControlMaster` settings to reuse an existing
connection.

When I try to sequentially access two hosts with the same internal ip
(10.0.1.2) that are behind a different bastion (bastion-1 and
bastion-2), ssh is wrongly re-using the socket because it is "bound"
to
private ip (10.0.1.2) and it does not include any reference to the
bastion's ip:

```
$ ssh -o ControlPersist=60s  -o ControlMaster=auto -o
ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no
ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-1:666 hostname
hostname-beyond-bastion-1

$ ssh -o ControlPersist=60s  -o ControlMaster=auto -o
ControlPath=/tmp/.ssh/control-%h-%p-%r -o StrictHostKeyChecking=no
ubuntu at 10.0.1.2 -p 666 -J bastion at bastion-2:666 hostname
hostname-beyond-bastion-1

$ ls /tmp/.ssh/control*
/tmp/.ssh/control-10.0.1.2-666-ubuntu

```

I have double checked but did not find anything to add in the
ControlPath to refer to the bastion ip.

I'm wondering if this is a known limitation or a bug / enhancement.

So far, my understanding is that the ControlMaster should not be used
when using the jumps.

Thanks in advance

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

Celeste Liu <CoelacanthusHex at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |CoelacanthusHex at gmail.com

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
hm, we might need a token to expand to the jumphost sequence

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net
           Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org
   Attachment #3737|                            |ok?(dtucker at dtucker.net)
              Flags|                            |

--- Comment #2 from Damien Miller <djm at mindrot.org> ---
Created attachment 3737
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3737&action=edit
add %j expansion token for ControlPath (and others)

This adds %j as an token expansion for ControlPath and the other
directives that share its token expansions. It also appends %j to the
%C hash

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
   Attachment #3737|ok?(dtucker at dtucker.net)    |ok+
              Flags|                            |

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #3 from Damien Miller <djm at mindrot.org> ---
This has been committed and will be in openssh-9.6, due around the end
of the year. Thanks!

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3610

--- Comment #4 from poussma <mathieu.pousse at cloud-iam.com> ---
(In reply to Damien Miller from comment #3)
> This has been committed and will be in openssh-9.6, due around the
> end of the year. Thanks!
Thanks for that ??

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.