[Bug 1898] New: possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Tue May 3 07:44:28 EST 2011 

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

           Summary: possible unreasonable behaviour when using
                    ProxyCommand with multiple IdentityFile(s)
           Product: Portable OpenSSH
           Version: 5.8p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Miscellaneous
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: calestyo at scientia.net


Hi.

Maybe the following is an issue.
Consider the following scenario and ~/.ssh/config snippet:
-------------------------
Host login.example.org
        User loginUser
        ProxyCommand none

Host *.example.org
        User root
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p
-------------------------

The idea is that access to all nodes (but the login node) of
example.org is only possible via login.example.org.
The interesting part is, that different keys are used, namely the
default id_rsa to authenticate on login.example.org and
internal_example_org_key.id_rsa, which is only used internally (e.g.
because policy mandates this).

I'd have expected, that the above works, and that the default id_rsa is
used for login.example.org (as no IdentityFile is specified) and the
other key in the remaining cases.
It does however not.
It works if I:
1) Use ssh-agent (and it that one has all the keys loaded)
2) Use:
Host login.example.org
        User loginUser
        IdentityFile ~/.ssh/id_rsa
        ProxyCommand none
3) Or:
Host *.example.org
        User root
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p


Seems as if the inheritance wouldn't work for the default identity
file, unless its explicitly specified.


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list