search

hashicorp / boundary

Boundary enables identity-based access management for dynamic infrastructure.
https://boundaryproject.io
Other
3.82k stars 279 forks source link

CLI on Windows: -exec gives wrong template values #3174

Closed JannikZed closed 1 year ago

JannikZed commented 1 year ago

Describe the bug I’m trying to get the boundary CLI integrated in a SSH config on Windows. My goal is, that the tunnel is being opened automatically when running SSH. This is the SSH config:

Host ttcp_*
  UserKnownHostsFile NUL
  StrictHostKeyChecking no
  ProxyCommand cmd.exe /C "boundary connect -target-id %n -exec plink -- -v -raw {{boundary.ip}}:{{boundary.port}}"

It seems like {{boundary.ip}}:{{boundary.port}} or{{boundary.addr}} always resolve to 127.0.0.1:22 … The output shows:

OpenSSH_for_Windows_8.1p1, LibreSSL 3.0.2
debug1: Reading configuration data C:\\Users\\JZ/.ssh/config
debug1: C:\\Users\\JZ/.ssh/config line 16: Applying options for ttcp_*
debug1: Executing proxy command: exec cmd.exe /C "boundary connect -target-id ttcp_d6Y7pa3fgH -exec plink -- -v -l ihadmin -raw {{boundary.ip}}:{{boundary.port}}"
debug1: identity file C:\\Users\\JZ/.ssh/id_rsa type 0

debug1: Local version string SSH-2.0-OpenSSH_for_Windows_8.1
debug1: kex_exchange_identification: banner line 0:
debug1: kex_exchange_identification: banner line 1: Proxy listening information:
debug1: kex_exchange_identification: banner line 2:   Address:             127.0.0.1
debug1: kex_exchange_identification: banner line 3:   Connection Limit:    -1
debug1: kex_exchange_identification: banner line 4:   Expiration:          Wed, 19 Apr 2023 21:17:46 +08
debug1: kex_exchange_identification: banner line 5:   Port:                52098
debug1: kex_exchange_identification: banner line 6:   Protocol:            tcp
debug1: kex_exchange_identification: banner line 7:   Session ID:          s_HwraNgihrm
Looking up host "127.0.0.1" for main connection
Connecting to 127.0.0.1 port 22
Failed to connect to 127.0.0.1: Network error: Connection refused
Network error: Connection refused
FATAL ERROR: Network error: Connection refused

the templating seems to work, as I get different results when writing “localhost” instead of “{{boundary.ip}}”.

I think it would be really great, if we get this running, as it is the corresponding blueprint for windows for these docs: SSH ProxyCommand Workflow | Boundary | HashiCorp Developer

To Reproduce Steps to reproduce the behavior:

  1. Under Windows with SSH enabled, add the shown SSH config
  2. Try to connect to a target via SSH
  3. See error

Expected behavior I expect the boundary tunnel to get opened automatically, and plink to open a STDIN tunnel to the hostname and port of the newly opened boundary tunnel. The SSH session should run without manual effort.

Additional context Add any other context about the problem here.

JannikZed commented 1 year ago

it does work!