Debian Bug report logs -
#929669
ssh: usability issue with -J and multiple jump hosts
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#929669; Package openssh-client.
(Tue, 28 May 2019 09:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
New Bug report received and forwarded. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(Tue, 28 May 2019 09:33:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Package: openssh-client
Version: 1:7.9p1-10
Severity: normal
File: /usr/bin/ssh
When I try to proxy jump through multiple hosts using the most
intuitive way to do that (multiple -J options), ssh misleads me into
believing that ssh only supports a single jump host but if I use the
right syntax by separating the hosts with commas then it works fine.
I suggest that ssh either automatically combine the values of all the
proxy jump options using commas or print an error directing the user to
manually combine the values of all the proxy jump options using commas.
$ ssh -J master.debian.org -J paradis.debian.org draghi.debian.org echo yay
Only a single -J option permitted
$ ssh -J master.debian.org,paradis.debian.org draghi.debian.org echo yay
yay
-- System Information:
Debian Release: 10.0
APT prefers testing-debug
APT policy: (900, 'testing-debug'), (900, 'testing'), (800, 'unstable-debug'), (800, 'unstable'), (790, 'buildd-unstable'), (700, 'experimental-debug'), (700, 'experimental'), (690, 'buildd-experimental')
Architecture: amd64 (x86_64)
Kernel: Linux 4.19.0-5-amd64 (SMP w/4 CPU cores)
Kernel taint flags: TAINT_FIRMWARE_WORKAROUND, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE
Locale: LANG=en_AU.utf8, LC_CTYPE=en_AU.utf8 (charmap=UTF-8), LANGUAGE=en_AU.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
Versions of packages openssh-client depends on:
ii adduser 3.118
ii dpkg 1.19.6
ii libc6 2.28-10
ii libedit2 3.1-20181209-1
ii libgssapi-krb5-2 1.17-2
ii libselinux1 2.8-1+b1
ii libssl1.1 1.1.1b-2
ii passwd 1:4.5-1.1
ii zlib1g 1:1.2.11.dfsg-1
Versions of packages openssh-client recommends:
ii xauth 1:1.0.10-1
Versions of packages openssh-client suggests:
pn keychain <none>
pn libpam-ssh <none>
ii monkeysphere 0.43-3
ii ssh-askpass-gnome [ssh-askpass] 1:7.9p1-10
-- no debconf information
--
bye,
pabs
https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#929669; Package openssh-client.
(Tue, 28 May 2019 09:57:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Colin Watson <cjwatson@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(Tue, 28 May 2019 09:57:03 GMT) (full text, mbox, link).
Message #10 received at 929669@bugs.debian.org (full text, mbox, reply):
On Tue, May 28, 2019 at 05:32:00PM +0800, Paul Wise wrote:
> When I try to proxy jump through multiple hosts using the most
> intuitive way to do that (multiple -J options), ssh misleads me into
> believing that ssh only supports a single jump host but if I use the
> right syntax by separating the hosts with commas then it works fine.
>
> I suggest that ssh either automatically combine the values of all the
> proxy jump options using commas or print an error directing the user to
> manually combine the values of all the proxy jump options using commas.
Could you please send this upstream (bugzilla.mindrot.org)? For feature
requests and other similar suggestions like this it's usually most
efficient for the bug submitter to do that directly rather than me
forwarding them, since then any back-and-forth discussion with upstream
can be done directly rather than by me trying to act as an advocate and
intermediary.
Thanks,
--
Colin Watson [cjwatson@debian.org]
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>:
Bug#929669; Package openssh-client.
(Wed, 29 May 2019 00:00:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Paul Wise <pabs@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>.
(Wed, 29 May 2019 00:00:04 GMT) (full text, mbox, link).
Message #15 received at 929669@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: forwarded -1 https://bugzilla.mindrot.org/show_bug.cgi?id=3015
On Tue, 2019-05-28 at 10:55 +0100, Colin Watson wrote:
> Could you please send this upstream (bugzilla.mindrot.org)?
Done. In case upstream ask me to test with 8.0p1 could you upload that
to experimental?
--
bye,
pabs
https://wiki.debian.org/PaulWise
[signature.asc (application/pgp-signature, inline)]
Added tag(s) fixed-upstream.
Request was from debian-bts-link@lists.debian.org
to control@bugs.debian.org.
(Mon, 22 Jul 2019 19:30:14 GMT) (full text, mbox, link).
Reply sent
to Colin Watson <cjwatson@debian.org>:
You have taken responsibility.
(Thu, 10 Oct 2019 09:51:03 GMT) (full text, mbox, link).
Notification sent
to Paul Wise <pabs@debian.org>:
Bug acknowledged by developer.
(Thu, 10 Oct 2019 09:51:03 GMT) (full text, mbox, link).
Message #24 received at 929669-close@bugs.debian.org (full text, mbox, reply):
Source: openssh
Source-Version: 1:8.1p1-1
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 929669@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <cjwatson@debian.org> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
Format: 1.8
Date: Thu, 10 Oct 2019 10:23:19 +0100
Source: openssh
Architecture: source
Version: 1:8.1p1-1
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <debian-ssh@lists.debian.org>
Changed-By: Colin Watson <cjwatson@debian.org>
Closes: 929669
Changes:
openssh (1:8.1p1-1) unstable; urgency=medium
.
* New upstream release (https://www.openssh.com/txt/release-8.1):
- ssh(1), sshd(8), ssh-agent(1): Add protection for private keys at rest
in RAM against speculation and memory side-channel attacks like
Spectre, Meltdown and Rambleed. This release encrypts private keys
when they are not in use with a symmetric key that is derived from a
relatively large "prekey" consisting of random data (currently 16KB).
- ssh(1): Allow %n to be expanded in ProxyCommand strings.
- ssh(1), sshd(8): Allow prepending a list of algorithms to the default
set by starting the list with the '^' character, e.g.
"HostKeyAlgorithms ^ssh-ed25519".
- ssh-keygen(1): Add an experimental lightweight signature and
verification ability. Signatures may be made using regular ssh keys
held on disk or stored in a ssh-agent and verified against an
authorized_keys-like list of allowed keys. Signatures embed a
namespace that prevents confusion and attacks between different usage
domains (e.g. files vs email).
- ssh-keygen(1): Print key comment when extracting public key from a
private key.
- ssh-keygen(1): Accept the verbose flag when searching for host keys in
known hosts (i.e. "ssh-keygen -vF host") to print the matching host's
random-art signature too.
- All: Support PKCS8 as an optional format for storage of private keys
to disk. The OpenSSH native key format remains the default, but PKCS8
is a superior format to PEM if interoperability with non-OpenSSH
software is required, as it may use a less insecure key derivation
function than PEM's.
- ssh(1): If a PKCS#11 token returns no keys then try to login and
refetch them.
- ssh(1): Produce a useful error message if the user's shell is set
incorrectly during "match exec" processing.
- sftp(1): Allow the maximum uint32 value for the argument passed to -b
which allows better error messages from later validation.
- ssh-keyscan(1): Include SHA2-variant RSA key algorithms in KEX
proposal; allows ssh-keyscan to harvest keys from servers that disable
old SHA1 ssh-rsa.
- sftp(1): Print explicit "not modified" message if a file was requested
for resumed download but was considered already complete.
- sftp(1): Fix a typo and make <esc><right> move right to the closest
end of a word just like <esc><left> moves left to the closest
beginning of a word.
- sshd(8): Cap the number of permitopen/permitlisten directives allowed
to appear on a single authorized_keys line.
- All: Fix a number of memory leaks (one-off or on exit paths).
- ssh(1), sshd(8): Check for convtime() refusing to accept times that
resolve to LONG_MAX.
- ssh(1): Slightly more instructive error message when the user
specifies multiple -J options on the command-line (closes: #929669).
- ssh-agent(1): Process agent requests for RSA certificate private keys
using correct signature algorithm when requested.
- sftp(1): Check for user@host when parsing sftp target. This allows
user@[1.2.3.4] to work without a path.
- sshd(8): Enlarge format buffer size for certificate serial number so
the log message can record any 64-bit integer without truncation.
- sshd(8): For PermitOpen violations add the remote host and port to be
able to more easily ascertain the source of the request. Add the same
logging for PermitListen violations which were not previously logged
at all.
- scp(1), sftp(1): Use the correct POSIX format style for left
justification for the transfer progress meter.
- sshd(8): When examining a configuration using sshd -T, assume any
attribute not provided by -C does not match, which allows it to work
when sshd_config contains a Match directive with or without -C.
- ssh(1), ssh-keygen(1): Downgrade PKCS#11 "provider returned no slots"
warning from log level error to debug. This is common when attempting
to enumerate keys on smartcard readers with no cards plugged in.
- ssh(1), ssh-keygen(1): Do not unconditionally log in to PKCS#11
tokens. Avoids spurious PIN prompts for keys not selected for
authentication in ssh(1) and when listing public keys available in a
token using ssh-keygen(1).
- ssh(1), sshd(8): Fix typo that prevented detection of Linux VRF.
- sshd(8): In the Linux seccomp-bpf sandbox, allow mprotect(2) with
PROT_(READ|WRITE|NONE) only. This syscall is used by some hardened
heap allocators.
- sshd(8): In the Linux seccomp-bpf sandbox, allow the s390-specific
ioctl for ECC hardware support.
* Re-enable hardening on hppa, since the corresponding GCC bug is
apparently fixed.
Checksums-Sha1:
76ee07140706169f8e296c1b7d882d7437c437ea 3316 openssh_8.1p1-1.dsc
c44b96094869f177735ae053d92bd5fcab1319de 1625894 openssh_8.1p1.orig.tar.gz
8b241dee85731fb19e57622f160a4326da52a7a7 683 openssh_8.1p1.orig.tar.gz.asc
9bd1e2e574e31e37dcd3e7baf205e7a6c73620da 171604 openssh_8.1p1-1.debian.tar.xz
Checksums-Sha256:
01e3152f72f1352078308842357f56f5206edcad7c5228ff8c13be83be69349b 3316 openssh_8.1p1-1.dsc
02f5dbef3835d0753556f973cd57b4c19b6b1f6cd24c03445e23ac77ca1b93ff 1625894 openssh_8.1p1.orig.tar.gz
da3f623f0131b55c8199fbbd86be0748d00c6e1e098dfc0ebea664901c9a7ab4 683 openssh_8.1p1.orig.tar.gz.asc
d93a83ebd34b917a307c2876d7a3ad778277f745f38634b961cba65bf07cd10c 171604 openssh_8.1p1-1.debian.tar.xz
Files:
3ebcb8b9e1ffbfb6c1fb82aa778ea875 3316 net standard openssh_8.1p1-1.dsc
513694343631a99841e815306806edf0 1625894 net standard openssh_8.1p1.orig.tar.gz
61e3864f45acc839bec3cb23d532da43 683 net standard openssh_8.1p1.orig.tar.gz.asc
9da8fed95dc542721ff7f61a190e811d 171604 net standard openssh_8.1p1-1.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCAAdFiEErApP8SYRtvzPAcEROTWH2X2GUAsFAl2e+d4ACgkQOTWH2X2G
UAsxTw/8DJ5UUyAtOvvkfh8P09LprXUcX3c3eGZWiMQ1zSFf0bby3Ne+T6jvcsrP
OOvKEjNzAKYztJvR7CmcePzCRkIrPQtg18P4HZUrPYfoRN3Ebh7gPJdLalu6qaMX
cj06A1LsDlvfPci6HVVLkqJqq96V/1R1yQ0d4rgddZ7oHoP9AEVy4pwuGfyePBbv
mu1+rZewG7ohrEnflMOxvOQTrXoxaDEc10Uo+OK9EdFe5LXIR0KFKGxmWwh9gYl2
4GHj+gwpKEv9cGyZwZ7Gwdq0PXxOzwrxcjfrxKGZ3ZQkrfTUOybDCmbcErPwPPC8
dpntbNcKb4BrrJo9TrZ2ST9J+EN0/nX/rX3BiIccBObd0rwb01dTRbf1hoY4mUn6
ytZSHxQIpKL2orOb847aWD+VDBoU+ehJeUTwoNCMYgaRnUvcs+PCIs9UW14F+MvX
Dj4uGxjVCDiU9l+IozwRkh3BXaUeh/X/7CgjW8uZ0QLg0amUFLe/7K7e9UihwnJW
pMMTLJdgoRCgTxIO7ShU5RckL8z040frGoQQeWXIdM3XIwlr/8LvAPHXp8UASnCF
l7uVnSuFrFPqMwqVAM2pCw8fNYNuPjNkG3yT/LTm7BhERBC5NXNHc3+mf/498AzA
P4nOcRX6+qGEsBWnZuJ0UhXYlIHxpmWzhaV0jNfPfrHocHcRgiY=
=xsAk
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org.
(Sat, 09 Nov 2019 07:27:54 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Mar 25 18:58:47 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.