Question regarding patch for ProxyCommand setting

Ben Lindstrom mouring at etoh.eviladmin.org
Sat Sep 28 11:32:11 EST 2002 

Without pulling it out of the Host * section and putting in each area.  I
don't think so.

Trying to think of the best/easy way to handle this if a patch is accepted
post 3.5.  I don't like the 'ProxyCommand -'.  It does not match any of
our current syntax.  I'd almost want to suggest a 'DisableProxyCommand
[yes|no]'.  but 'DisableProxyCommand no' does not make sense.  I'm not
sure that we want to allow 'ProxyCommand' with no additional argument, but
it would make more sense then '-'  which is normally reserved hinting at
'use stdin/stdout'.

However, IdentityFile does not support clearing the internal list either
(Not sure it is required ever.  I can't think of a case where it would be
required).

Guess it Markus agrees, I would not be against allowing:

Host *
	ProxyCommand /usr/bin/spam

Host localhost
	ProxyCommand

But it would be after 3.5 release.

- Ben

On Thu, 26 Sep 2002, Thomas Binder wrote:

> Hi!
>
> I recently started using ProxyCommand and noticed that it's not
> possible to specify a "none" value for it. I've already written a
> patch for that, but wanted to discuss the issue before posting the
> patch.
>
> The problem is the following: I'd like to use a ProxyCommand by
> default, but exclude some hosts. But as soon as I have
>
> Host *
> 	ProxyCommand /some/proxy/command %h %p
>
> at the end of ssh_config, there's no way to disable ProxyCommand
> in another host section.
>
> I need this to still have the possibility to access localhost
> without host key checking [1], i.e. I'd like to have something
> like
>
> Host localhost
> 	ProxyCommand -
>
> That'd be necessary because as soon as a ProxyCommand is active,
> NoHostAuthenticationForLocalhost is ignored because OpenSSH no
> longer has a way to tell whether "localhost" is really the
> loopback interface.
>
> So, is there any way to achieve what I want without adding support
> for something like "ProxyCommand -" (and without having to add
> each and every host that should be accessed via the proxy command
> to ssh_config)? And if there's no other way, would there be
> interest in adding my patch?
>
>
> Ciao
>
> Thomas
>
>
> [1] That's because I've written shell scripts that allow to copy
>     files from and to remote hosts that can only be accessed with
>     an ssh chain (e.g. ssh -t host1 ssh -t host2 ssh -t host3).
>     This is achieved by automatically opening a tunnel to port 22
>     of the remote host using such a chain, and then scp to and
>     from localhost. Without NoHostAuthenticationForLocalhost, scp
>     would always fail because of a changed host key.
>
>
> --
> "No, `Eureka' is Greek for `This bath is too hot.'"
> 		-- Dr. Who
>

More information about the openssh-unix-dev mailing list