[Bug 2951] New: command line key options ignored for jumphost

Tue Jan 8 06:59:50 AEDT 2019

https://bugzilla.mindrot.org/show_bug.cgi?id=2951

            Bug ID: 2951
           Summary: command line key options ignored for jumphost
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: amd64
                OS: Mac OS X
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: chris.kiick at sailpoint.com

The -J option of ssh allows connecting via a "jump" host.  However, I
am unable to specify a key to use for the jump host on the command
line.

Command:
> ssh -i keyfile -J user at bastion.host user at final.host

Expected behavior:
ssh authenticates to jumphost with key in keyfile, then proceeds to
connect to final host.  Final host may use same or different key.

Actual behavior:
user at bastion.host: Permission denied
(publickey,gssapi-keyex,gssapi-with-mic).
ssh_exchange_identification: Connection closed by remote host

Using verbose options it is clear that keyfile is never offered to the
bastion host during authentication.  Adding -o AddKeysToAgent=yes has
no affect. Putting AddKeysToAgent in ssh config file also has no
affect. It seems clear that any options relating to keys are ignored
when connecting to the jumphost.  The only way to have a keyfile for
the jumphost is to pre-add it to the ssh-agent with ssh-add, or modify
the ssh config file.  There are use cases where this is not desirable
(eg use in scripts, keys are rotated or expired often, ssh-agent is not
running, local host account is shared, etc).

The intuitive behavior would be for the -i and relevant -o options to
be applied before connecting to the jumphost.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.