Ssh proxyjump not working on Fedora 35

jbouter · December 3, 2021, 9:47pm

Hi all,

I’ve recently installed Fedora 35, and seem to be having some issues with proxyjumping. I’ve been debugging this issue for hours, but can’t seem to find a proper solution. I’ve anonymised the addresses in the examples below.

So, if we’re assuming my ~/.ssh/config is empty, this is the effect of using a jump host:

~ ❯ ssh -J jeffrey@steppingstone.example.nl nas.example.nl
zsh: No such file or directory
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

However, using SSH directly goes perfectly well:

~ ❯ ssh steppingstone
jeffrey@steppingstone:~$ ssh nas
jeffrey@nas:~$

I’ve tried debugging the “file not found” (which, just to have complete information, also occurs when running bash instead of zsh) error using strace, but can’t seem to find much interesting information there either:

[..]
newfstatat(AT_FDCWD, "/etc/nsswitch.conf", {st_mode=S_IFREG|0644, st_size=3038, ...}, 0) = 0
openat(AT_FDCWD, "/etc/passwd", O_RDONLY|O_CLOEXEC) = 3
newfstatat(3, "", {st_mode=S_IFREG|0644, st_size=2684, ...}, AT_EMPTY_PATH) = 0
lseek(3, 0, SEEK_SET)                   = 0
read(3, "root:x:0:0:root:/root:/usr/bin/z"..., 4096) = 2684
close(3)                                = 0
getpid()                                = 10020
pipe([3, 4])                            = 0
pipe([5, 6])                            = 0
getpid()                                = 10020
clone(child_stack=NULL, flags=CLONE_CHILD_CLEARTID|CLONE_CHILD_SETTID|SIGCHLD, child_tidptr=0x7fc50aa04b10) = 10021
close(3)                                = 0
close(6)                                = 0
zsh: No such file or directory
getpeername(5, 0x7ffdf5bd4490, [128])   = -1 ENOTSOCK (Socket operation on non-socket)
getuid()                                = 1000
openat(AT_FDCWD, "/home/jbouter/.ssh/id_ed25519", O_RDONLY) = 3
[..]

I don’t see why the KEX Algorithms are “wrong” in the error either. Using a VPN, I can also SSH directly to the nas machine without any issues:

~ ❯ ssh nas.example.nl
jeffrey@nas:~$

I’ve also commented out the following line from /etc/ssh/ssh_config, to no effect:

Include /etc/ssh/ssh_config.d/*.conf

I did this, because /etc/ssh/ssh_config.d/50-redhat.conf includes specific ciphers as a final override for SSH.

I was hoping someone could give me some pointers as to what may possibly be going wrong.

I’ve also attempted to use a ProxyCommand rather than a ProxyJump as such:

Host nas
  ProxyCommand ssh -q -W %h:%p steppingstone

This resulted in the same error.

Lastly, here’s the output with some extra verbosity:

~ ❯ ssh -vvv -J jeffrey@steppingstone.example.nl nas.example.nl
OpenSSH_8.7p1, OpenSSL 1.1.1l  FIPS 24 Aug 2021
debug1: Reading configuration data /home/jbouter/.ssh/config
debug1: /home/jbouter/.ssh/config line 34: Skipping Host block because of negated match for nas.example.nl
debug1: /home/jbouter/.ssh/config line 41: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host nas.example.nl originally nas.example.nl
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: not matched 'final'
debug2: match not found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1 (parse only)
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: configuration requests final Match pass
debug1: re-parsing configuration
debug1: Reading configuration data /home/jbouter/.ssh/config
debug1: /home/jbouter/.ssh/config line 34: Skipping Host block because of negated match for nas.example.nl
debug1: /home/jbouter/.ssh/config line 41: Applying options for *
debug1: Reading configuration data /etc/ssh/ssh_config
debug3: /etc/ssh/ssh_config line 55: Including file /etc/ssh/ssh_config.d/50-redhat.conf depth 0
debug1: Reading configuration data /etc/ssh/ssh_config.d/50-redhat.conf
debug2: checking match for 'final all' host nas.example.nl originally nas.example.nl
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 3: matched 'final'
debug2: match found
debug3: /etc/ssh/ssh_config.d/50-redhat.conf line 5: Including file /etc/crypto-policies/back-ends/openssh.config depth 1
debug1: Reading configuration data /etc/crypto-policies/back-ends/openssh.config
debug3: gss kex names ok: [gss-curve25519-sha256-,gss-nistp256-sha256-,gss-group14-sha256-,gss-group16-sha512-]
debug3: kex names ok: [curve25519-sha256,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha256,diffie-hellman-group16-sha512,diffie-hellman-group18-sha512]
debug1: Setting implicit ProxyCommand from ProxyJump: ssh -l jeffrey -vvv -W '[%h]:%p' steppingstone.example.nl
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts' -> '/home/jbouter/.ssh/known_hosts'
debug3: expanded UserKnownHostsFile '~/.ssh/known_hosts2' -> '/home/jbouter/.ssh/known_hosts2'
debug1: Executing proxy command: exec ssh -l jeffrey -vvv -W '[nas.example.nl]:22' steppingstone.example.nl
debug1: identity file /home/jbouter/.ssh/id_rsa type -1
zsh: No such file or directory
debug1: identity file /home/jbouter/.ssh/id_rsa-cert type -1
debug1: identity file /home/jbouter/.ssh/id_dsa type -1
debug1: identity file /home/jbouter/.ssh/id_dsa-cert type -1
debug1: identity file /home/jbouter/.ssh/id_ecdsa type -1
debug1: identity file /home/jbouter/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/jbouter/.ssh/id_ecdsa_sk type -1
debug1: identity file /home/jbouter/.ssh/id_ecdsa_sk-cert type -1
debug1: identity file /home/jbouter/.ssh/id_ed25519 type 3
debug1: identity file /home/jbouter/.ssh/id_ed25519-cert type -1
debug1: identity file /home/jbouter/.ssh/id_ed25519_sk type -1
debug1: identity file /home/jbouter/.ssh/id_ed25519_sk-cert type -1
debug1: identity file /home/jbouter/.ssh/id_xmss type -1
debug1: identity file /home/jbouter/.ssh/id_xmss-cert type -1
debug1: Local version string SSH-2.0-OpenSSH_8.7
kex_exchange_identification: Connection closed by remote host
Connection closed by UNKNOWN port 65535

I’m really hoping someone could give me some pointers on how to debug this issue further. Any help is appreciated. This config was working fine using OpenSSH 8.2 (and I’ve migrated it to quite a few hosts and distros)

jbouter · December 4, 2021, 10:09am

Found the culprit! It had to do with this bit of shell configuration:

#!/usr/bin/env bash
# shellcheck disable=SC2034,SC2086

function set_win_title(){
  if [[ "$(basename $PWD)" == "$(id -un)" ]]; then
    echo -ne "\033]0; ~ \007"
  else
    echo -ne "\033]0; $(basename $PWD) \007"
  fi
}

# Set the window title
SHELL=$(basename $SHELL)
if [[ "$SHELL" == "bash" ]]; then
  starship_precmd_user_func="set_win_title"
elif [[ "$SHELL" == "zsh" ]]; then
  precmd_functions+=(set_win_title)
fi