https://bugzilla.mindrot.org/show_bug.cgi?id=3026
--- Comment #2 from Evans Tucker <[email protected]> --- It seems like the reality is a little more complicated. I'm seeing this behavior through a ProxyCommand. Here's what I'm seeing. Note that after creating a ~/.ssh/config with "IdentitiesOnly yes", I get a password prompt even though I'm specifying "-F ssh-bastion.conf" on the command line: $ cat ssh-bastion.conf Host 52.47.157.242 Hostname 52.47.157.242 StrictHostKeyChecking no ControlMaster auto ControlPath ~/.ssh/ansible-%r@%h:%p ControlPersist 5m Host 10.250.204.35 ProxyCommand ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p [email protected] $ cat ~/.ssh/config cat: /home/evans/.ssh/config: No such file or directory $ ssh -F ssh-bastion.conf [email protected] echo hi Warning: Permanently added '52.47.157.242' (ECDSA) to the list of known hosts. hi $ echo 'IdentitiesOnly yes' > ~/.ssh/config$ ssh -F ssh-bastion.conf [email protected] echo hi Warning: Permanently added '52.47.157.242' (ECDSA) to the list of known hosts. Password: Here's debug output showing that it says it's only loading ssh-bastion.conf, but it's definitely behaving like it's reading ~/.ssh/config. You can see that the command goes through after I delete ~/.ssh/config even though I'm specifying "-F ssh-bastion.conf": $ ssh -vvv -F ssh-bastion.conf [email protected] echo hi |& egrep '(config|hi)' debug1: Reading configuration data ssh-bastion.conf Password: $ rm ~/.ssh/config $ ssh -vvv -F ssh-bastion.conf [email protected] echo hi |& egrep '(config|hi)' debug1: Reading configuration data ssh-bastion.conf debug1: Sending command: echo hi hi $ AHA! OK, I just figured it out... The ProxyCommand doesn't have "-F" specified. If I put "-F /dev/null" in the ProxyCommand, things work as expected! $ cat ssh-bastion.conf Host 52.47.157.242 Hostname 52.47.157.242 StrictHostKeyChecking no ControlMaster auto ControlPath ~/.ssh/ansible-%r@%h:%p ControlPersist 5m Host 10.250.204.35 ProxyCommand ssh -vvv -F /dev/null -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -W %h:%p [email protected] $ echo 'IdentitiesOnly yes' > ~/.ssh/config $ ssh -vvv -F ssh-bastion.conf [email protected] echo hi |& egrep '(config|hi)' debug1: Reading configuration data ssh-bastion.conf debug1: Reading configuration data /dev/null debug1: Sending command: echo hi hi Problem solved. Overly complex SSH config. I'll make push a bugfix to kubespray to have them add "-F /dev/null" to ProxyCommand in their ssh-bastion.conf file. -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list [email protected] https://lists.mindrot.org/mailman/listinfo/openssh-bugs
