[Bug 3000] New: Redirect of ProxyCommands' stderr to /dev/null hides useful information

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3000

            Bug ID: 3000
           Summary: Redirect of ProxyCommands' stderr to /dev/null hides
                    useful information
           Product: Portable OpenSSH
           Version: 8.0p1
          Hardware: amd64
                OS: Linux
            Status: NEW
          Severity: minor
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: jroquet at arkanosis.net

Hi,

8.0p1 introduces that change (from the release notes¹):

 * ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
   started with ControlPersist; prevents random ProxyCommand output
   from interfering with session output.

I'm sure there are very good reasons to do that, however it has the
annoying side effect of hiding information that may otherwise be
useful.

Having updated yesterday, I've been missing two things already:
 - the output generated by SSH's own VisualHostKey, which is printed to
stderr;
 - the instructions sent on stderr by some SSH bastion I've no control
over, about how to use its proprietary 2FA (namely RSA SecurID).

I could probably live without the former (that's just a handy visual
clue I'm accustomed to), but I'm kind of lost without the latter,
because there's nothing standard in how that bastion expects me to
reply to the password prompt.

I can see plenty of other cases where stderr could be important for
ProxyCommands, starting with actual error messages one would expect to
find here.

Is there some subtlety I've missed here? Or any way to prevent stderr
from being hidden? I guess I could redirect it to stdout right in the
ProxyCommand, but that seems a bit “hacky”…

Thanks!

¹ https://www.openssh.com/releasenotes.html

-- 
You are receiving this mail because:
You are watching the assignee of the bug.