[Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)
bugzilla-daemon at bugzilla.mindrot.org
bugzilla-daemon at bugzilla.mindrot.org
Thu May 5 16:26:41 EST 2011
https://bugzilla.mindrot.org/show_bug.cgi?id=1898
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-05-05 16:26:41 EST ---
I think you are misunderstanding how the configuration is applied by
Host directives. Overrides are *per-configuration item*
In your first case you are not specifying an IdentityFile in your
login.example.org block, so it is unset when the also-matching
*.example.org block is applied. To do what you want, you should specify
your normal IdentityFiles in the login.example.org block
Host login.example.org
User loginUser
ProxyCommand none
IdentityFile ~/.ssh/id_rsa
IdentityFile ~/.ssh/id_dsa
IdentityFile ~/.ssh/id_ecdsa
Host *.example.org
User root
IdentityFile ~/.ssh/internal_example_org_key.id_rsa
ProxyCommand ssh login.example.org nc %h %p
The rules for IdentityFile are a little different to most. IdentityFile
adds to the list of keys, whereas most other directives are *first
match wins*. This leads to the slightly undesirable effect of appending
~/.ssh/internal_example_org_key.id_rsa to the list of keys, even for
login.example.org. We can't avoid that unless we support negated
matching in Host blocks.
--
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list