-
Notifications
You must be signed in to change notification settings - Fork 458
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bugfix: ssh port override for #1116 #1117
base: main
Are you sure you want to change the base?
Conversation
@mhtr fyi |
I think that it is not breaking principle of least astonishment because, IIRC specifying port on commandline takes precedence than port specification in config file. I do not know, however, how does it work with libvirt's uri string. |
@scabala can you reproduce this? From man page.
But contrast with:
I also did a quick test on my local machine and it behaves as I expect:
|
I was writing from memory but what from example you provided it looks like it works as I wrote - commandline has priority over config. Second example does not work because IMO it first tries to port 2222 on Now when I read your description in PR it is more clear to me what you meant. I must say I was lost a bit - this SSH handling part grew significantly. Yeah, I guess that might indeed be a little surprising to user but I think this is can be dealt with some little documentation. |
Please see TL;DR at end. The answer is trivial: we honor sshconfig manpage rules.
I'm not sure about that, I've re-done the same output for more explicit clarity. You can try the below stanzas locally too... memet@machine:~$ head -n 16 ~/.ssh/config | tail -n+2
UseRoaming no
Host fake-jump
Port 2222
HostName 192.168.50.165 # this is my local DHCP address
Host bogey-1
Port 2222
HostName localhost
ProxyJump fake-jump
Host bogey-2
Port 2222
HostName localhost
memet@machine:~$ ssh bogey-2 # FAILS WITHOUT OVERRIDE
ssh: connect to host localhost port 2222: Connection refused
memet@machine:~$ ssh bogey-2 -p 22 # SUCCEEDS WITH FLAG
Linux machine 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64
# SUCCESS ...
memet@machine:~$ ssh fake-jump # THIS FAILS WITHOUT OVERRIDE
ssh: connect to host 192.168.50.165 port 2222: Connection refused
memet@machine:~$ ssh fake-jump -p 22 # THIS SUCCEEDS WITH FLAG
Linux machine 6.1.0-22-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.94-1 (2024-06-21) x86_64
# SUCCESS ...
memet@machine:~$
logout
Connection to 192.168.50.165 closed.
memet@machine:~$ ssh bogey-1 # THIS FAILS WITHOUT OVERRIDE
ssh: connect to host 192.168.50.165 port 2222: Connection refused
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
memet@machine:~$ ssh bogey-1 -p 22 # THIS STILL FAILS WITH FLAG
ssh: connect to host 192.168.50.165 port 2222: Connection refused
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535
memet@machine:~$ ssh bogey-1 -p 22 -v
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /home/memet/.ssh/config
debug1: /home/memet/.ssh/config line 2: Deprecated option "useroaming"
debug1: /home/memet/.ssh/config line 8: Applying options for bogey-1
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -v -W '[%h]:%p' fake-jump
debug1: Executing proxy command: exec ssh -v -W '[localhost]:22' fake-jump
debug1: identity file /home/memet/.ssh/****** type 0
debug1: identity file /home/memet/.ssh/******-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_9.2p1 Debian-2+deb12u2
OpenSSH_9.2p1 Debian-2+deb12u2, OpenSSL 3.0.13 30 Jan 2024
debug1: Reading configuration data /home/memet/.ssh/config
debug1: /home/memet/.ssh/config line 2: Deprecated option "useroaming"
debug1: /home/memet/.ssh/config line 4: Applying options for fake-jump
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to 192.168.50.165 [192.168.50.165] port 2222.
debug1: connect to address 192.168.50.165 port 2222: Connection refused
ssh: connect to host 192.168.50.165 port 2222: Connection refused
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535 I can connect to
Yes, this is what the man page says will happen as the exception, not the rule. Specifically for JumpHost.
It didn't "grow" so much as it moved beyond trivial handling. The last release had an outdated sshconfig package (v0.0.0) and it only used the "User" parameter. Besides, without sshconfig, bastion hosts were not possible and this is a big no-go for my (any?) corporate environment. All we need to finalize is how to be backward compatible while maintaining good hygiene moving forward... TL;DR I just realized that there is no backward compatibility issue at all. v0.7.6 simply did not support proxy jumps, therefore nobody has production code with proxy jumps in them that can break due to this change. |
There is no need to be backward compatibility and go with the behavior closer to ssh/libvirt. We are not in 1.0 yet. Lets just mention it in the release notes. |
2fbefc0
to
31bd40a
Compare
Please disregard this comment: there is a bug, but not where I thought. As per Host [string](https://pkg.go.dev/builtin#string) // host or host:port (see Hostname and Port methods) the Host member can be either host or host:port, and therefore we should not make use of
|
this will throw off the ssh_config lookups as the target will be incorrectly given the server:port string instead of simply server
This issue fixes #1116.
It is a direct fix that maintains backward compatibility, however it introduces an outcome that breaks the principle of least astonishment: the port specified in the query string will take precedence over the port specified in any configured targets along the way (e.g. client -> bastion1 -> bastion2 -> host).
My opinion is that config should have priority over query string, however, this behaviour is not backwards compatible.
@dmacvicar : will need your input on this.