Unable to connect to SSH server with proxycommand

[hidoolou007]

Prerequisites

• Write a descriptive title.
• Make sure you are able to repro it on the latest version
• Search the existing issues.

Steps to reproduce

Hi,
I have a Windows 2025 Server with OpenSSH enabled.
I need to connect to this server through a SSH bastion.

I have activated PowerShell as the default shell for OpenSSH following the MS guide.

I have no problem to connect to my server with the following full command:

ssh -t -l remoteuser@target.domain.local:bastionuser bastion.domain.local

Which gives me the following output:

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\remoteuser>

My problem is that I want to automate some tasks on many targets so I need to configure my ~/.ssh/config file in order to make the previous command line reusable.

Here is my config file:

Host bastion
   User bastionuser
   Hostname bastion.domain.local
   Port 22
   StrictHostKeyChecking no
   IdentityFile ~/.ssh/id_rsa

Host target
    Hostname target.domain.local
    User remoteuser
    ProxyCommand ssh -T -l remoteuser@%h:bastionuser bastion

So when I do ssh target -vvv I got the following error:

[...]
debug1: kex_exchange_identification: banner line 11: Windows PowerShell
debug1: kex_exchange_identification: banner line 12: Copyright (C) Microsoft Corporation. All rights reserved.
debug1: kex_exchange_identification: banner line 13:
debug1: kex_exchange_identification: banner line 14: Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
debug1: kex_exchange_identification: banner line 15:
debug1: kex_exchange_identification: banner line 16: PS C:\\Users\\remoteuser> SSH-2.0-OpenSSH_9.9
SSH-2.0-OpenSSH_9.9 : The term 'SSH-2.0-OpenSSH_9.9' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:1
+ SSH-2.0-OpenSSH_9.9
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (SSH-2.0-OpenSSH_9.9:String) [], CommandNotFoundExc
   eption
    + FullyQualifiedErrorId : CommandNotFoundException

It seems like the server tries to execute the SSH client version as an executable after being successfully connected.

I tried to disable the Banner option (which is already disabled by default). Renamed ssh.exe (on the server side) in SSH-2.0-OpenSSH_9.9.exe and the problem still occurs. Instead of the error message, it gives me the following output:

usage: ssh [-46AaCfGgKkMNnqsTtVvXxYy] [-B bind_interface] [-b bind_address]
           [-c cipher_spec] [-D [bind_address:]port] [-E log_file]
           [-e escape_char] [-F configfile] [-I pkcs11] [-i identity_file]
           [-J destination] [-L address] [-l login_name] [-m mac_spec]
           [-O ctl_cmd] [-o option] [-P tag] [-p port] [-Q query_option]
           [-R address] [-S ctl_path] [-W host:port] [-w local_tun[:remote_tun]]
           destination [command [argument ...]]

Which is the behaviour the server wants to do (execute a command after login). But It never gives me the prompt back and I'm unable to do anything with that.

It seems to be a limitation of OpenSSH on Windows server and I'm stuck for a week now to find a fix.

Any idea?

Thanks

Expected behavior

Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.

Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows

PS C:\Users\remoteuser>

Actual behavior

debug1: kex_exchange_identification: banner line 11: Windows PowerShell
debug1: kex_exchange_identification: banner line 12: Copyright (C) Microsoft Corporation. All rights reserved.
debug1: kex_exchange_identification: banner line 13:
debug1: kex_exchange_identification: banner line 14: Install the latest PowerShell for new features and improvements! https://aka.ms/PSWindows
debug1: kex_exchange_identification: banner line 15:
debug1: kex_exchange_identification: banner line 16: PS C:\\Users\\remoteuser> SSH-2.0-OpenSSH_9.9
SSH-2.0-OpenSSH_9.9 : The term 'SSH-2.0-OpenSSH_9.9' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:1
+ SSH-2.0-OpenSSH_9.9
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (SSH-2.0-OpenSSH_9.9:String) [], CommandNotFoundExc
   eption
    + FullyQualifiedErrorId : CommandNotFoundException

Error details

Environment data

Name                           Value
----                           -----
PSVersion                      5.1.26100.4652
PSEdition                      Desktop
PSCompatibleVersions           {1.0, 2.0, 3.0, 4.0...}
BuildVersion                   10.0.26100.4652
CLRVersion                     4.0.30319.42000
WSManStackVersion              3.0
PSRemotingProtocolVersion      2.3
SerializationVersion           1.1.0.1

Version

SSH-2.0-OpenSSH_for_Windows_9.5

Visuals

No response

[tgauth]

ssh -t -l remoteuser@target.domain.local:bastionuser bastion.domain.local

ProxyCommand ssh -T -l remoteuser@%h:bastionuser bastion

-t and -T have different behaviors - can you ensure the ssh config file matches the manual command?

[hidoolou007]

ssh -t -l remoteuser@target.domain.local:bastionuser bastion.domain.local

ProxyCommand ssh -T -l remoteuser@%h:bastionuser bastion

-t and -T have different behaviors - can you ensure the ssh config file matches the manual command?

Hi, thanks for your answer. Yeah I've changed the arg -t to -T by design. If I put -t in the conf file, I have a warning I didn't have with the manual command:

Pseudo-terminal will not be allocated because stdin is not a terminal.

Then, the same errror:

SSH-2.0-OpenSSH_9.9 : The term 'SSH-2.0-OpenSSH_9.9' is not recognized as the name of a cmdlet,
function, script file, or operable program. Check the spelling of the name, or if a path was
included, verify that the path is correct and try again.
At line:1 char:1
+ SSH-2.0-OpenSSH_9.9
+ ~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : ObjectNotFound: (SSH-2.0-OpenSSH_9.9:String) [], CommandNotFoundExc
   eption
    + FullyQualifiedErrorId : CommandNotFoundException

[tgauth]

Thanks for the additional info!

A couple things to try:

1. Does removing PowerShell as the default shell have any impact? I'm wondering if the Windows PowerShell banner is interfering with the ProxyCommand

2. Can ProxyJump be utilized instead of ProxyCommand?

[hidoolou007]

No particular change with the default shell, just less warnings and still no prompt to continue:

debug1: kex_exchange_identification: banner line 10:
'SSH-2.0-OpenSSH_9.9' is not recognized as an internal or external command,
operable program or batch file.
debug1: kex_exchange_identification: banner line 11: Microsoft Windows [Version 10.0.26100.4652]
debug1: kex_exchange_identification: banner line 12: (c) Microsoft Corporation. All rights reserved.
debug1: kex_exchange_identification: banner line 13:
debug1: kex_exchange_identification: banner line 14: remoteuser@target C:\\Users\\remoteuser>SSH-2.0-OpenSSH_9.9
debug1: kex_exchange_identification: banner line 15:

I'm not sure of the ProxyJump configuration to use since I don't use a ssh key to log into the remote server. I use a SSH bastion with an account mapping of my bastion user to the remote user on the target server. Do you have an example for ProxyJump?