Trouble with -W
Dag-Erling Smørgrav
des at des.no
Fri Jul 5 23:11:57 EST 2013
I want to ssh from a client to a machine on a closed network via a
jumphost; let's call them {client,internal,jumphost}.example.com. I
have authpf set up on the jumphost so that when logged in, I am allowed
to open TCP connections from the jumphost to port 22 on internal nodes.
This works well with port forwarding:
des at client ~% ssh -L2222:internal.example.com:22 jumphost.example.com
but I'd rather use ProxyCommand, so I add something like this to my
~/.ssh/config:
Host *
ControlMaster auto
ControlPath ~/.ssh/cm-%l-%r@%h:%p
Host jumphost jumphost.example.com
HostName jumphost.example.com
HostKeyAlias jumphost.example.com
Host internal internal.example.com
HostName internal.example.com
HostKeyAlias internal.example.com
ProxyCommand ssh -vW %h:%p jumphost.example.com
I then ssh to the jumphost, which starts authpf and opens a control
socket on the client:
des at client ~% ssh jumphost.example.com
Password:
Last login: Fri Jul 5 12:44:48 2013 from client.example.com
Hello des. You are authenticated from host "192.168.144.120"
I should now be able to ssh to the internal node like this:
des at client ~% ssh -v internal.example.com
But this doesn't work:
[...]
debug1: Control socket "/home/des/.ssh/cm-client.example.com-des at internal.example.com:22" does not exist
debug1: Executing proxy command: exec ssh -vW internal.example.com:22 jumphost.example.com
debug1: permanently_drop_suid: 1001
debug1: identity file /home/des/.ssh/identity type -1
debug1: identity file /home/des/.ssh/id_rsa type 1
debug1: identity file /home/des/.ssh/id_dsa type -1
OpenSSH_5.3p1, OpenSSL 1.0.0-fips 29 Mar 2010
debug1: Reading configuration data /home/des/.ssh/config
debug1: Applying options for *
debug1: Applying options for jumphost.example.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Applying options for *
debug1: auto-mux: Trying existing master
ssh_exchange_identification: Connection closed by remote host
On the jumphost, I see this:
Jul 5 12:46:16 jumphost -authpf-noip: non-interactive session connection for authpf
My question is: why did sshd on the jumphost try to execute authpf?
Shouldn'it have just opened a TCP connection to internal.example.com:22,
as it does with simple port forwarding? Is there a way to get around
this?
In this example, the client and server both run RHEL 6.4 with OpenSSH
5.3p1, while the jumphost runs FreeBSD 9.1 with OpenSSH 5.8p2. I can
live with an answer that says "upgrade to 6.x on the jumphost", but the
client and server are outside my control.
DES
--
Dag-Erling Smørgrav - des at des.no
More information about the openssh-unix-dev
mailing list