SSH ProxyJump on macOS Catalina is not working

0

2

I have 3 Computers:
1. my mac with macOS Catalina
2. my 1st Raspberry Pi
3. my 2nd Raspberry Pi

On my mac is ssh running version: OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019

I am able to log into each raspberry pi separately via ssh.

I want to ssh from my mac to the 2nd Pi by jumping over the 1st Pi. Like this: 

+-------+       +--------+       +--------+
|  Mac  | ----> | raspi1 | ----> | raspi2 |
+-------+       +--------+       +--------+

with this .ssh/config file:

Host 1pi
    HostName raspi1
    User pi
    #IdentityFile ~/.ssh/id_ed25519

Host 2pi
    HostName raspi2
    User pi
    ProxyJump 1pi
    #IdentityFile ~/.ssh/id_ed25519

Though I am able to log into the 1st Raspberry Pi, I am always getting the same error when attempting to log into the 2nd Pi. 

$ ssh 2pi
kex_exchange_identification: banner line contains invalid characters

I have even tried it with the IdentityFile parameter and just using the -J option. But still the same result.

$ ssh -J pi@raspi1 pi@raspi2
kex_exchange_identification: banner line contains invalid characters

I tried it on macOS Mojave and it worked. I tried it on Linux and it worked.

How do I get it to work on macOS Catalina? How can I jump to the 2nd Pi over the 1st Pi?

When I do ssh 2pi -vv I get this (among other debug information)

debug2: channel_input_open_confirmation: channel 0: callback start
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug1: kex_exchange_identification: banner line 0: \033[H\033[2JSSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u1
kex_exchange_identification: banner line contains invalid characters
debug1: channel 0: free: direct-tcpip: listening port 0 for raspi2 port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Killed by signal 1.

Hendrik

Posted 2019-12-18T13:15:07.120

Reputation: 1

2First figure out why it doesn't work... use ssh -vv to see the actual banner being sent. – user1686 – 2019-12-18T13:21:17.147

Yes, I can ssh raspi2 from within raspi1 – Hendrik – 2019-12-18T18:39:05.807

That banner looks like it starts with escape sequences to clear the screen and put the cursor at the top left. Do you have a login/profile file on the 1st Pi that tries to reset the terminal? – Gordon Davisson – 2019-12-19T17:37:38.763

Where do I find a login/profile file? – Hendrik – 2020-01-06T19:45:36.923

@Hendrik Look on raspi1, for something like ~/.profile, ~/.bash_profile, ~/.bash_login, or ~/bashrc (assuming you're using bash as your shell on that system; if not, similar names for whatever shell you are using). – Gordon Davisson – 2020-01-09T09:11:35.913

I'm having the same issue. It's just a bandaid, but you can brew install openssh and brew link openssh. Everything seems to work with OpenSSH_8.2p1, except for UseKeychain if that's something you use. – Dan VanWinkle – 2020-02-27T00:41:55.683

Answers

0

OpenSSH_8.1p1 has a bug that swapped %n and %h. Because ProxyJump essentially uses ProxyCommand ssh -W %h:%p, it is actually sending the Host name instead of HostName (1pi instead of raspi1).

If you don't want to jump through the hoops of installing OpenSSH_8.2p1 or anything else, you can replace ProxyJump 1pi with ProxyCommand ssh -W %n:%p 1pi until Apple replaces the version of OpenSSH. Considering that Apple is the one who reported the bug (thanks Pierre-Olivier), I am assuming that it will be updated in the next 10.15.4 Beta.

If you're interested in source code, the bug was introduced here: https://github.com/openssh/openssh-portable/commit/fbe24b142915331ceb2a3a76be3dc5b6d204fddf#diff-5bfa45f3fb322e569a8101399c9c551cR1372

The bug was fixed here: https://github.com/openssh/openssh-portable/commit/2ab335712d084d9ccaf3f53afc3fa9535329da87#diff-5bfa45f3fb322e569a8101399c9c551cR1395

As an alternative to the above answer, a possibly simpler answer that will solve your problem and not make you change anything when Apple releases the fix exists.

Just add 2pi to your /etc/hosts file on raspi1. e.g. {IP address of 2pi} 2pi. Assuming your IP address is 192.168.1.10, it'd be:

echo "192.168.1.10 2pi" | sudo tee -a /etc/hosts

Dan VanWinkle

Posted 2019-12-18T13:15:07.120

Reputation: 101

This will likely be fixed in the next seed of 10.15.4, according to Apple. – Dan VanWinkle – 2020-02-27T06:35:09.110

Asked: 2019-12-18T13:15:07.120

Viewed: 206 times

Active: 2020-02-27T05:28:17.350