Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support for more than one jump host #318

Closed
nightman68 opened this issue Feb 6, 2023 · 8 comments · Fixed by #512
Closed

Support for more than one jump host #318

nightman68 opened this issue Feb 6, 2023 · 8 comments · Fixed by #512
Assignees
@tomaswolf
Labels
bug An issue describing a bug in the code
Milestone
2.13.0

Comments

@nightman68
Copy link

Description

I have a special server running to which the connection is only possible via 2 jump hosts and my configuration for SSH looks like this:

Host jump1
  Hostname                    jump1.corp
  Port                        22
  User                        nightman
  LogLevel                    QUIET

Host jump2
  HostName                    jump2.dmz.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump1
  LogLevel                    QUIET

Host host*.dmz.corp
  ProxyJump                   nightman@jump2:22

This is working well with the native SSH clients.

It would be nice when your great libary would support such a configuration as well!

:-)

Motivation

Enhancements would make the library better usable for jump hosts.

Alternatives considered

There is no workaround I found so far.

Additional context

No response
@tomaswolf
Copy link
Member

tomaswolf commented Feb 7, 2023
edited
Loading

Looks like a shortcoming/bug in SshClient.java, connect() and doConnect(): it appears to parse only the ProxyJump in the top-level Host entry.

As a work-around, try

Host host*.dmz.corp
  ProxyJump nightman@jump2:22,nightman@jump1:22

That should work (if I read the code right), and also should work with openSSH.

@nightman68
Copy link
Author

nightman68 commented Feb 8, 2023
edited
Loading

@tomaswolf thanks for the quick response! I tested the workaround and it's working with one edit: the order of the proxy must be changed:

Host host*.dmz.corp
  ProxyJump nightman@jump1:22,nightman@jump2:22

The other settings like in the original post.

For the native SSH client the order must be like proposed by you :-( Tested with openSSH 1.0.2 k on RH 7 and 1.1.1 i in a git bash.

@tomaswolf
Copy link
Member

For the native SSH client the order must be like proposed by you :-(

So there's even a bug in that implementation in Apache MINA sshd. Really :-(.

@tomaswolf tomaswolf added the bug An issue describing a bug in the code label Feb 9, 2023
@nightman68
Copy link
Author

If it will help I can run tests with a fixed pre package.

@tomaswolf
Copy link
Member

Thanks for the offer. I won't have any time for any coding in the next few weeks, but perhaps someone else takes this on. Otherwise I'll take look sometime in March.

@tomaswolf tomaswolf mentioned this issue Mar 30, 2023
Closed
@nightman68
Copy link
Author

Any update?

@tomaswolf
Copy link
Member

Nope; I didn't get around to this yet. But it's up for grabs; we do welcome PRs.

@tomaswolf tomaswolf mentioned this issue Jan 9, 2024
Open
@nightman68 nightman68 mentioned this issue Mar 18, 2024
Closed
@nightman68
Copy link
Author

A PR #477 is available to fix this issue. I tested it with the 2 configurations below.

configuration 1:

Host host*.dmz.corp
  ProxyJump     [email protected]:22,[email protected]:22,[email protected]:22

configuration 2:

Host jump1
  Hostname                    jump1.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump2
  LogLevel                    QUIET

Host jump2
  HostName                    jump2.dmz.corp
  Port                        22
  User                        nightman
  ProxyJump                   jump3
  LogLevel                    QUIET

Host jump3
  HostName                    jump3.dmz.corp
  Port                        22
  User                        nightman
  LogLevel                    QUIET

Host host*.dmz.corp
  ProxyJump                   jump1

tomaswolf added a commit to tomaswolf/mina-sshd that referenced this issue Jun 2, 2024
@tomaswolf
apacheGH-318: fix proxyJumps
12e5283 
Previous code only parsed the proxy jumps of the initial
HostConfigEntry. However, if the last entry in that list has a
HostConfigEntry that again has proxy jumps, these additional
proxies must be added to the list. And so on.

To guard against proxy cascades with loops we limit the total
number of proxies to at most 10. The limit is configurable through
property CoreModuleProperties.MAX_PROXY_JUMPS.

Bug: apache#318
@tomaswolf tomaswolf mentioned this issue Jun 2, 2024
Merged
@tomaswolf tomaswolf added this to the 2.13.0 milestone Jun 2, 2024
@tomaswolf tomaswolf self-assigned this Jun 2, 2024
@lawmin2021 lawmin2021 mentioned this issue Sep 19, 2024
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tomaswolf tomaswolf

Labels
bug An issue describing a bug in the code
Projects
None yet
Milestone
2.13.0
Development

Successfully merging a pull request may close this issue.

GH-318: fix proxyJumps tomaswolf/mina-sshd
Make the proxy jump resolver a bit more flexible.
2 participants
@nightman68 @tomaswolf