[Bug 3555] ForwardAgent doesn't work under Match canonical
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Apr 3 09:55:02 AEST 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3555
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |WORKSFORME
Status|NEW |RESOLVED
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
This is working as intended.
When hostname canonicalisation is enabled, the configuration is parsed
twice. An initial pass to collect options and then a second pass after
the hostnames are finalised. Most configuration options operate as
"first match wins"
So what's happening here is that, on the first pass, your the "Host *"
block is being parsed and the ForwardAgent option is being set to "no".
On the subsequent pass, the ForwardAgent directive in the "Match
canonical" block is ignored because it's already set.
You can avoid this by only setting the fallback ForwardAgent on the
final pass, e.g.
----
Host bastion
ProxyJump none
Match canonical
ProxyJump bastion
ForwardAgent yes
Match all
CanonicalizeHostname always
CanonicalDomains mydomain.co.uk
CanonicalizeMaxDots 0
CanonicalizeFallbackLocal yes
Match canonical all
ForwardAgent no
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list