Trouble with -W

Dag-Erling Smørgrav des at
Fri Jul 5 23:11:57 EST 2013

I want to ssh from a client to a machine on a closed network via a
jumphost; let's call them {client,internal,jumphost}  I
have authpf set up on the jumphost so that when logged in, I am allowed
to open TCP connections from the jumphost to port 22 on internal nodes.
This works well with port forwarding:

  des at client ~% ssh

but I'd rather use ProxyCommand, so I add something like this to my

  Host *
    ControlMaster auto
    ControlPath ~/.ssh/cm-%l-%r@%h:%p

  Host jumphost

  Host internal
    ProxyCommand ssh -vW %h:%p

I then ssh to the jumphost, which starts authpf and opens a control
socket on the client:

  des at client ~% ssh
  Last login: Fri Jul  5 12:44:48 2013 from

  Hello des. You are authenticated from host ""

I should now be able to ssh to the internal node like this:

  des at client ~% ssh -v

But this doesn't work:

  debug1: Control socket "/home/des/.ssh/ at" does not exist
  debug1: Executing proxy command: exec ssh -vW
  debug1: permanently_drop_suid: 1001
  debug1: identity file /home/des/.ssh/identity type -1
  debug1: identity file /home/des/.ssh/id_rsa type 1
  debug1: identity file /home/des/.ssh/id_dsa type -1
  OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
  debug1: Reading configuration data /home/des/.ssh/config
  debug1: Applying options for *
  debug1: Applying options for
  debug1: Reading configuration data /etc/ssh/ssh_config
  debug1: Applying options for *
  debug1: auto-mux: Trying existing master
  ssh_exchange_identification: Connection closed by remote host

On the jumphost, I see this:

  Jul  5 12:46:16 jumphost -authpf-noip: non-interactive session connection for authpf

My question is: why did sshd on the jumphost try to execute authpf?
Shouldn'it have just opened a TCP connection to,
as it does with simple port forwarding?  Is there a way to get around

In this example, the client and server both run RHEL 6.4 with OpenSSH
5.3p1, while the jumphost runs FreeBSD 9.1 with OpenSSH 5.8p2.  I can
live with an answer that says "upgrade to 6.x on the jumphost", but the
client and server are outside my control.

Dag-Erling Smørgrav - des at

More information about the openssh-unix-dev mailing list