Question regarding patch for ProxyCommand setting
Ben Lindstrom
mouring at etoh.eviladmin.org
Sat Sep 28 11:32:11 EST 2002
Without pulling it out of the Host * section and putting in each area. I
don't think so.
Trying to think of the best/easy way to handle this if a patch is accepted
post 3.5. I don't like the 'ProxyCommand -'. It does not match any of
our current syntax. I'd almost want to suggest a 'DisableProxyCommand
[yes|no]'. but 'DisableProxyCommand no' does not make sense. I'm not
sure that we want to allow 'ProxyCommand' with no additional argument, but
it would make more sense then '-' which is normally reserved hinting at
'use stdin/stdout'.
However, IdentityFile does not support clearing the internal list either
(Not sure it is required ever. I can't think of a case where it would be
required).
Guess it Markus agrees, I would not be against allowing:
Host *
ProxyCommand /usr/bin/spam
Host localhost
ProxyCommand
But it would be after 3.5 release.
- Ben
On Thu, 26 Sep 2002, Thomas Binder wrote:
> Hi!
>
> I recently started using ProxyCommand and noticed that it's not
> possible to specify a "none" value for it. I've already written a
> patch for that, but wanted to discuss the issue before posting the
> patch.
>
> The problem is the following: I'd like to use a ProxyCommand by
> default, but exclude some hosts. But as soon as I have
>
> Host *
> ProxyCommand /some/proxy/command %h %p
>
> at the end of ssh_config, there's no way to disable ProxyCommand
> in another host section.
>
> I need this to still have the possibility to access localhost
> without host key checking [1], i.e. I'd like to have something
> like
>
> Host localhost
> ProxyCommand -
>
> That'd be necessary because as soon as a ProxyCommand is active,
> NoHostAuthenticationForLocalhost is ignored because OpenSSH no
> longer has a way to tell whether "localhost" is really the
> loopback interface.
>
> So, is there any way to achieve what I want without adding support
> for something like "ProxyCommand -" (and without having to add
> each and every host that should be accessed via the proxy command
> to ssh_config)? And if there's no other way, would there be
> interest in adding my patch?
>
>
> Ciao
>
> Thomas
>
>
> [1] That's because I've written shell scripts that allow to copy
> files from and to remote hosts that can only be accessed with
> an ssh chain (e.g. ssh -t host1 ssh -t host2 ssh -t host3).
> This is achieved by automatically opening a tunnel to port 22
> of the remote host using such a chain, and then scp to and
> from localhost. Without NoHostAuthenticationForLocalhost, scp
> would always fail because of a changed host key.
>
>
> --
> "No, `Eureka' is Greek for `This bath is too hot.'"
> -- Dr. Who
>
More information about the openssh-unix-dev
mailing list