SSH ProxyJump on macOS Catalina is not working

Question

I have 3 Computers:
1. my mac with macOS Catalina
2. my 1st Raspberry Pi
3. my 2nd Raspberry Pi

On my mac is ssh running version: OpenSSH_8.1p1, OpenSSL 1.1.1d 10 Sep 2019

I am able to log into each raspberry pi separately via ssh.

I want to ssh from my mac to the 2nd Pi by jumping over the 1st Pi. Like this:

+-------+       +--------+       +--------+
|  Mac  | ----> | raspi1 | ----> | raspi2 |
+-------+       +--------+       +--------+

with this .ssh/config file:

Host 1pi
    HostName raspi1
    User pi
    #IdentityFile ~/.ssh/id_ed25519

Host 2pi
    HostName raspi2
    User pi
    ProxyJump 1pi
    #IdentityFile ~/.ssh/id_ed25519

Though I am able to log into the 1st Raspberry Pi, I am always getting the same error when attempting to log into the 2nd Pi.

$ ssh 2pi
kex_exchange_identification: banner line contains invalid characters

I have even tried it with the IdentityFile parameter and just using the -J option. But still the same result.

$ ssh -J pi@raspi1 pi@raspi2
kex_exchange_identification: banner line contains invalid characters

I tried it on macOS Mojave and it worked. I tried it on Linux and it worked.

How do I get it to work on macOS Catalina? How can I jump to the 2nd Pi over the 1st Pi?

When I do ssh 2pi -vv I get this (among other debug information)

debug2: channel_input_open_confirmation: channel 0: callback start
debug2: channel_input_open_confirmation: channel 0: callback done
debug2: channel 0: open confirm rwindow 2097152 rmax 32768
debug1: kex_exchange_identification: banner line 0: \033[H\033[2JSSH-2.0-OpenSSH_7.9p1 Raspbian-10+deb10u1
kex_exchange_identification: banner line contains invalid characters
debug1: channel 0: free: direct-tcpip: listening port 0 for raspi2 port 22, connect from 127.0.0.1 port 65535 to UNKNOWN port 65536, nchannels 1
debug1: fd 0 clearing O_NONBLOCK
Killed by signal 1.

Answer 1

OpenSSH_8.1p1 has a bug that swapped %n and %h. Because ProxyJump essentially uses ProxyCommand ssh -W %h:%p, it is actually sending the Host name instead of HostName (1pi instead of raspi1).

If you don't want to jump through the hoops of installing OpenSSH_8.2p1 or anything else, you can replace ProxyJump 1pi with ProxyCommand ssh -W %n:%p 1pi until Apple replaces the version of OpenSSH. Considering that Apple is the one who reported the bug (thanks Pierre-Olivier), I am assuming that it will be updated in the next 10.15.4 Beta.

If you're interested in source code, the bug was introduced here: https://github.com/openssh/openssh-portable/commit/fbe24b142915331ceb2a3a76be3dc5b6d204fddf#diff-5bfa45f3fb322e569a8101399c9c551cR1372

The bug was fixed here: https://github.com/openssh/openssh-portable/commit/2ab335712d084d9ccaf3f53afc3fa9535329da87#diff-5bfa45f3fb322e569a8101399c9c551cR1395

---

As an alternative to the above answer, a possibly simpler answer that will solve your problem and not make you change anything when Apple releases the fix exists.

Just add 2pi to your /etc/hosts file on raspi1. e.g. {IP address of 2pi} 2pi. Assuming your IP address is 192.168.1.10, it'd be:

echo "192.168.1.10 2pi" | sudo tee -a /etc/hosts