OSX - SSH agent functionality differing based upon CLI arguments

Markus Friedl mfriedl at gmail.com
Fri Jan 10 07:12:09 EST 2014 

This is due to ssh's flexible argument parsing. If you skip the hostname, them something else is interpreted as the hostname. 




> Am 09.01.2014 um 18:43 schrieb bryan hunt <picsolvebryan at gmail.com>:
> 
> Yes, called as you describe, SSH works correctly (it Forwards Agent). Quirky!
> 
> But, called the way I was doing, everything but Agent Forwarding works. 
> 
> Strange. Looking further, I found another odd behaviour. 
> 
> ssh -o User=vagrant -o Hostname=127.0.0.1 -p 2222 -o Compression=yes -o StrictHostKeyChecking=no -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o IdentitiesOnly=yes -i /Users/bryanhunt/.vagrant.d/insecure_private_key -o ForwardAgent=yes -o LogLevel=DEBUG "" "/bin/sh  -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockerddd’ "
> 
> Note how I added the empty quoted string in the hostname position. 
> 
> SSH Agent Forwarding works if I add that empty quoted string. 
> 
> If I remove the empty quoted string, the git checkout is executed, but prompts for authentication.
> 
> I would expect SSH to completely succeed, or completely fail to execute the command - rather than have the side channel (SSH agent) fail or succeed based upon how I express the command line arguments. 
> 
> This is a stock version of the ssh command on OSX.
> 
> The checksum is:
> 
> MD5 (/usr/bin/ssh) = 35caacee333ebae93d4087ca349738e4
> 
> Perhaps another OSX user could verify this behaviour? 
> 
> Regards,
> 
> Bryan Hunt
> 
> 
>> On 9 Jan 2014, at 17:21, Markus Friedl <mfriedl at gmail.com> wrote:
>> 
>> You pass it as an option. 
>> 
>> But ssh is called like 
>> 
>> $ ssh [options] hostname [command]
>> 
>> 
>> 
>> 
>> 
>>> Am 09.01.2014 um 16:21 schrieb bryan hunt <picsolvebryan at gmail.com>:
>>> 
>>> 
>>> I don’t understand, in the second example, "ssh -o HostName=127.0.0.1 “, is the very first argument to the program…
>>> 
>>> 
>>> 
>>>> On 9 Jan 2014, at 13:21, Markus Friedl <mfriedl at gmail.com> wrote:
>>>> 
>>>> The 2nd example misses the required hostname argument.
>>>> 
>>>> 
>>>> 
>>>> 
>>>>> Am 09.01.2014 um 13:32 schrieb bryan hunt <picsolvebryan at gmail.com>:
>>>>> 
>>>>> 
>>>>> Trying to get SSH agent forwarding working for a popular open source configuration management system called Ansible.
>>>>> 
>>>>> I’ve had some unexpected behaviour, the only cause of which I can find is how I express the command line arguments.
>>>>> 
>>>>> http://stackoverflow.com/questions/20952689/vagrant-ssh-agent-forwarding-how-is-it-working?noredirect=1#comment31511341_20952689
>>>>> 
>>>>> In summarise:
>>>>> 
>>>>> In the first instance I can create a SSH connection, and and execute a remote git clone (via SSH), the Agent Forwarding works, and I am not prompted for credentials:
>>>>> 
>>>>> ssh vagrant at 127.0.0.1 -p 2222 \
>>>>> -o Compression=yes \
>>>>> -o StrictHostKeyChecking=no \
>>>>> -o LogLevel=FATAL \
>>>>> -o StrictHostKeyChecking=no \
>>>>> -o UserKnownHostsFile=/dev/null \
>>>>> -o IdentitiesOnly=yes \
>>>>> -i /Users/bryanhunt/.vagrant.d/insecure_private_key \
>>>>> -o ForwardAgent=yes \
>>>>> "/bin/sh  -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockera' "
>>>>> Cloning into '/home/vagrant/poc_dockera'...
>>>>> 
>>>>> In the second instance I express the arguments differently ( -o HostName=127.0.0.1 -o User=vagrant ), and Agent Forwarding doesn’t seem to work:
>>>>> 
>>>>> ssh -o HostName=127.0.0.1 -o User=vagrant -p 2222 \
>>>>> -o Compression=yes \
>>>>> -o StrictHostKeyChecking=no \
>>>>> -o LogLevel=FATAL \
>>>>> -o StrictHostKeyChecking=no \
>>>>> -o UserKnownHostsFile=/dev/null \
>>>>> -o IdentitiesOnly=yes \
>>>>> -i /Users/bryanhunt/.vagrant.d/insecure_private_key \
>>>>> -o ForwardAgent=yes \
>>>>> "/bin/sh  -c 'git clone git at bitbucket.org:bryan_picsolve/poc_docker.git /home/vagrant/poc_dockerb' "
>>>>> /bin/sh  -c 'git clone git at 127.0.0.1's password:
>>>>> 
>>>>> The client side SSH is:
>>>>> 
>>>>> OpenSSH_6.2p2, OSSLShim 0.9.8r 8 Dec 2011
>>>>> 
>>>>> The server side SSH is:
>>>>> 
>>>>> OpenSSH_5.9p1 Debian-5ubuntu1.1, OpenSSL 1.0.1 14 Mar 2012
>>>>> 
>>>>> 
>>>>> Have any of the list members got an insight into this behaviour ?
>>>>> 
>>>>> Thanks in advance, 
>>>>> 
>>>>> Bryan Hunt
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> 
>>>>> _______________________________________________
>>>>> openssh-unix-dev mailing list
>>>>> openssh-unix-dev at mindrot.org
>>>>> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
> 
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

More information about the openssh-unix-dev mailing list