[Bug 3026] ssh -F does not work as expected

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sat Jun 29 09:50:26 AEST 2019 

https://bugzilla.mindrot.org/show_bug.cgi?id=3026

--- Comment #2 from Evans Tucker <evans.tucker at gmail.com> ---
It seems like the reality is a little more complicated. I'm seeing this
behavior through a ProxyCommand. Here's what I'm seeing. Note that
after creating a ~/.ssh/config with "IdentitiesOnly yes", I get a
password prompt even though I'm specifying "-F ssh-bastion.conf" on the
command line:

$ cat ssh-bastion.conf 
Host 52.47.157.242
  Hostname 52.47.157.242
  StrictHostKeyChecking no
  ControlMaster auto
  ControlPath ~/.ssh/ansible-%r@%h:%p
  ControlPersist 5m

Host 10.250.204.35 
  ProxyCommand ssh -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -W %h:%p core at 52.47.157.242 
$ cat ~/.ssh/config
cat: /home/evans/.ssh/config: No such file or directory
$ ssh -F ssh-bastion.conf core at 10.250.204.35 echo hi
Warning: Permanently added '52.47.157.242' (ECDSA) to the list of known
hosts.
hi
$ echo 'IdentitiesOnly yes' > ~/.ssh/config$ ssh -F ssh-bastion.conf
core at 10.250.204.35 echo hi
Warning: Permanently added '52.47.157.242' (ECDSA) to the list of known
hosts.
Password: 

Here's debug output showing that it says it's only loading
ssh-bastion.conf, but it's definitely behaving like it's reading
~/.ssh/config. You can see that the command goes through after I delete
~/.ssh/config even though I'm specifying "-F ssh-bastion.conf":

$ ssh -vvv -F ssh-bastion.conf core at 10.250.204.35 echo hi |& egrep
'(config|hi)'
debug1: Reading configuration data ssh-bastion.conf
Password: 

$ rm ~/.ssh/config
$ ssh -vvv -F ssh-bastion.conf core at 10.250.204.35 echo hi |& egrep
'(config|hi)'
debug1: Reading configuration data ssh-bastion.conf
debug1: Sending command: echo hi
hi
$

AHA! OK, I just figured it out... The ProxyCommand doesn't have "-F"
specified. If I put "-F /dev/null" in the ProxyCommand, things work as
expected!

$ cat ssh-bastion.conf 
Host 52.47.157.242
  Hostname 52.47.157.242
  StrictHostKeyChecking no
  ControlMaster auto
  ControlPath ~/.ssh/ansible-%r@%h:%p
  ControlPersist 5m

Host 10.250.204.35 
  ProxyCommand ssh -vvv -F /dev/null -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null -W %h:%p core at 52.47.157.242 
$ echo 'IdentitiesOnly yes' > ~/.ssh/config
$ ssh -vvv -F ssh-bastion.conf core at 10.250.204.35 echo hi |& egrep
'(config|hi)'
debug1: Reading configuration data ssh-bastion.conf
debug1: Reading configuration data /dev/null
debug1: Sending command: echo hi
hi

Problem solved. Overly complex SSH config. I'll make push a bugfix to
kubespray to have them add "-F /dev/null" to ProxyCommand in their
ssh-bastion.conf file.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list