[Bug 1898] New: possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Tue May 3 07:44:28 EST 2011
https://bugzilla.mindrot.org/show_bug.cgi?id=1898
Summary: possible unreasonable behaviour when using
ProxyCommand with multiple IdentityFile(s)
Product: Portable OpenSSH
Version: 5.8p1
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P2
Component: Miscellaneous
AssignedTo: unassigned-bugs at mindrot.org
ReportedBy: calestyo at scientia.net
Hi.
Maybe the following is an issue.
Consider the following scenario and ~/.ssh/config snippet:
-------------------------
Host login.example.org
User loginUser
ProxyCommand none
Host *.example.org
User root
IdentityFile ~/.ssh/internal_example_org_key.id_rsa
ProxyCommand ssh login.example.org nc %h %p
-------------------------
The idea is that access to all nodes (but the login node) of
example.org is only possible via login.example.org.
The interesting part is, that different keys are used, namely the
default id_rsa to authenticate on login.example.org and
internal_example_org_key.id_rsa, which is only used internally (e.g.
because policy mandates this).
I'd have expected, that the above works, and that the default id_rsa is
used for login.example.org (as no IdentityFile is specified) and the
other key in the remaining cases.
It does however not.
It works if I:
1) Use ssh-agent (and it that one has all the keys loaded)
2) Use:
Host login.example.org
User loginUser
IdentityFile ~/.ssh/id_rsa
ProxyCommand none
3) Or:
Host *.example.org
User root
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/internal_example_org_key.id_rsa
ProxyCommand ssh login.example.org nc %h %p
Seems as if the inheritance wouldn't work for the default identity
file, unless its explicitly specified.
Cheers,
Chris.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list