[Bug 3555] ForwardAgent doesn't work under Match canonical

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Apr 3 09:55:02 AEST 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3555

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WORKSFORME
             Status|NEW                         |RESOLVED
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is working as intended.

When hostname canonicalisation is enabled, the configuration is parsed
twice. An initial pass to collect options and then a second pass after
the hostnames are finalised. Most configuration options operate as
"first match wins"

So what's happening here is that, on the first pass, your the "Host *"
block is being parsed and the ForwardAgent option is being set to "no".
On the subsequent pass, the ForwardAgent directive in the "Match
canonical" block is ignored because it's already set.

You can avoid this by only setting the fallback ForwardAgent on the
final pass, e.g.
----
Host bastion
    ProxyJump none

Match canonical
    ProxyJump bastion
    ForwardAgent yes

Match all
    CanonicalizeHostname always
    CanonicalDomains mydomain.co.uk
    CanonicalizeMaxDots 0
    CanonicalizeFallbackLocal yes

Match canonical all
    ForwardAgent no

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list