I want to ssh from a client to a machine on a closed network via a
jumphost; let's call them {client,internal,jumphost}.example.com.  I
have authpf set up on the jumphost so that when logged in, I am allowed
to open TCP connections from the jumphost to port 22 on internal nodes.
This works well with port forwarding:
  des at client ~% ssh -L2222:internal.example.com:22 jumphost.example.com
but I'd rather use ProxyCommand, so I add something like this to my
~/.ssh/config:
  Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%l-%r@%h:%p
  Host jumphost jumphost.example.com
    HostName jumphost.example.com
    HostKeyAlias jumphost.example.com
  Host internal internal.example.com
    HostName internal.example.com
    HostKeyAlias internal.example.com
    ProxyCommand ssh -vW %h:%p jumphost.example.com
I then ssh to the jumphost, which starts authpf and opens a control
socket on the client:
  des at client ~% ssh jumphost.example.com
  Password:
  Last login: Fri Jul  5 12:44:48 2013 from client.example.com
  Hello des. You are authenticated from host "192.168.144.120"
I should now be able to ssh to the internal node like this:
  des at client ~% ssh -v internal.example.com
But this doesn't work:
  [...]
  debug1: Control socket "/home/des/.ssh/cm-client.example.com-des at
internal.example.com:22" does not exist
  debug1: Executing proxy command: exec ssh -vW internal.example.com:22
jumphost.example.com
  debug1: permanently_drop_suid: 1001
  debug1: identity file /home/des/.ssh/identity type -1
  debug1: identity file /home/des/.ssh/id_rsa type 1
  debug1: identity file /home/des/.ssh/id_dsa type -1
  OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
  debug1: Reading configuration data /home/des/.ssh/config
  debug1: Applying options for *
  debug1: Applying options for jumphost.example.com
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: auto-mux: Trying existing master
  ssh_exchange_identification: Connection closed by remote host
On the jumphost, I see this:
  Jul  5 12:46:16 jumphost -authpf-noip: non-interactive session connection for
authpf
My question is: why did sshd on the jumphost try to execute authpf?
Shouldn'it have just opened a TCP connection to internal.example.com:22,
as it does with simple port forwarding?  Is there a way to get around
this?
In this example, the client and server both run RHEL 6.4 with OpenSSH
5.3p1, while the jumphost runs FreeBSD 9.1 with OpenSSH 5.8p2.  I can
live with an answer that says "upgrade to 6.x on the jumphost", but
the
client and server are outside my control.
DES
-- 
Dag-Erling Sm?rgrav - des at des.no