[Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Thu May 5 16:26:41 EST 2011


Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> 2011-05-05 16:26:41 EST ---
I think you are misunderstanding how the configuration is applied by
Host directives. Overrides are *per-configuration item*

In your first case you are not specifying an IdentityFile in your
login.example.org block, so it is unset when the also-matching
*.example.org block is applied. To do what you want, you should specify
your normal IdentityFiles in the login.example.org block

Host login.example.org
        User loginUser
        ProxyCommand none
        IdentityFile ~/.ssh/id_rsa
        IdentityFile ~/.ssh/id_dsa
        IdentityFile ~/.ssh/id_ecdsa

Host *.example.org
        User root
        IdentityFile ~/.ssh/internal_example_org_key.id_rsa
        ProxyCommand ssh login.example.org nc %h %p

The rules for IdentityFile are a little different to most. IdentityFile
adds to the list of keys, whereas most other directives are *first
match wins*. This leads to the slightly undesirable effect of appending
~/.ssh/internal_example_org_key.id_rsa to the list of keys, even for
login.example.org. We can't avoid that unless we support negated
matching in Host blocks.

Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list