Xpra/paramiko fails on ssh connections using ProxyJump

[eblanton]

When using xpra (v4.4.3-r0, Debian 11) with paramiko as an ssh client, connections to hosts including a ProxyJump option in their .ssh/config stanza fail.

An example config is:

Host emon
    HostName [redacted host A]
    ProxyJump [redacted host B]
    ControlMaster auto
    ControlPath /home/elb/.ssh/control/%r@%h
    ForwardX11Trusted no
    User eblanton

Running Xpra as:

xpra start --start xterm ssh://emon/

Yields this output:

$ xpra --debug ssh start --start xterm ssh://emon/
2023-01-22 11:01:08,757 debug enabled for xpra.net.ssh / ('network', 'ssh')
2023-01-22 11:01:08,832 debug enabled for xpra.scripts.parsing / ('ssh',)
2023-01-22 11:01:08,832 using paramiko ssh backend
2023-01-22 11:01:08,998 Xpra GTK3 X11 client version 4.4.3-r0 64-bit
2023-01-22 11:01:09,085  running on Linux Debian 11 bullseye
2023-01-22 11:01:09,086  window manager is 'awesome'
2023-01-22 11:01:10,229 GStreamer version 1.18.4
2023-01-22 11:01:10,290 created unix domain socket '/run/user/1000/xpra/clients/colt-4054753'
2023-01-22 11:01:10,900 No OpenGL_accelerate module loaded: No module named 'OpenGL_accelerate'
2023-01-22 11:01:11,410 OpenGL enabled on 'AMD OLAND (DRM 2.50.0, 5.10.0-19-amd64, LLVM 11.0.1)'
2023-01-22 11:01:11,414 parsed user config '/home/elb/.ssh/config'
2023-01-22 11:01:11,414 29 hosts found
2023-01-22 11:01:11,420 got host config for 'emon': {'hostname': '[redacted host A]', 'proxyjump': '[redacted host B]', 'user': 'eblanton', 'controlmaster': 'auto', 'controlpath': '/home/elb/.ssh/control/eblanton@[redacted host A]', 'forwardx11trusted': 'no'}
2023-01-22 11:01:11,420 authentication modes=['none', 'agent', 'key', 'password']
2023-01-22 11:01:51,460 ssh_paramiko_connect_to({'display_name': 'ssh://emon/', 'cmdline': ['/usr/bin/xpra', '--debug', 'ssh', 'start', '--start', 'xterm', 'ssh://emon/'], 'type': 'ssh', 'proxy_command': ['_proxy_start'], 'exit_ssh': True, 'display': None, 'display_as_args': ['--debug=ssh', '--start=xterm'], 'is_paramiko': True, 'agent': False, 'host': 'emon', 'local': False, 'full_ssh': ['paramiko'], 'remote_xpra': ['xpra', '$XDG_RUNTIME_DIR/xpra/run-xpra', '/usr/local/bin/xpra', '~/.xpra/run-xpra', 'Xpra_cmd.exe']})
NoneType: None
SSH failed to connect to [redacted host A]:22

This may be a paramiko limitation (the paramiko documentation does not seem to mention ProxyJump), but as Xpra seems to strongly prefer paramiko (#3701), this is a problem for default Xpra installs. I am going to dig into paramiko next and see if a feature request or bug report needs to be filed, I will link it here if so.

System Information:

• Server OS: Ubuntu 20.04.5 LTS
• ProxyJump OS: Debian 11
• Client OS: Debian 11
• Xpra Server Version v4.4.3-r0
• Xpra Client Version v4.4.3-r0

[eblanton]

This paramiko issue seems to suggest that this is something that the user of paramiko has to implement, and gives an example of Fabric doing so.

[totaam]

This should "just" be a matter of parsing the ProxyJump attribute and transforming it into what we parse using #2041 - see also #3638

FYI: Debian Bullseye ships with an out of date version of paramiko:
https://packages.debian.org/bullseye/python3-paramiko

[allo-]

As workaround you can use external SSH. I use it in different setups and it works well with all .ssh/config options as I think it just uses the OpenSSH binary.

[callegar]

Experiencing the same here. In certain setups jump hosts are a rather important feature. Easiest workaround is not to have paramiko installed. Xpra will complain a bit, but work just fine.

[totaam]

@callegar the correct way to use the ssh backend is to set --ssh=ssh.