Dealing with roaming machines

Nico Kadel-Garcia nkadel at gmail.com
Tue Dec 23 00:43:06 EST 2014


On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft <madduck at madduck.net> wrote:
> Hey folks,
>
> As most of everyone, I use OpenSSH for almost everything and
> whenever I can: backups, sync, Git, configuration management, and of
> course console sessions. So much for an intro ;)
>
> My laptop and I roam between three networks, though sometimes
> I leave the laptop at the office overnight, or hop over to the third
> site for an hour or two.
>
> I'd like to find a way to configure OpenSSH (or Linux in general) to
> try the other networks if the machine cannot be found locally.
> Unfortunately, DNS "search" in /etc/resolv.conf and
> CanonicalizeHostname in ssh_config both don't work since they only
> iterate the network DNS zones until a record is found, and my laptop
> has an entry in all three zones.

The problem, I think, isn't that you have an entry in all three. It's
that you have a *shortened* hostname that is identical in all 3 DNS
domains. If your DNS admins have gracefully set the local environments
to each be on their own subdomain, and that subdomain is *first* in
DHCP configured DNS, you should be golden.

    laptop.internal.domain.com # when inside the building,
internaldomain.domain.com is first, then domain.com
    laptop.vpn.domain.com  # when VPN connected, vpn.domain.com is
first, then domain.com
    laptop.machineroom.domain.com

It's extra work in DNS and security policies to do this, especially if
you're using dynamic DNS through AD. If instead, your admins have set
up all these environments to share "domain.com", well, then you start
getting into DNS "views" for a small domain called "laptop.domain.com"
and different DNS "views" in each envirornment. Then you need quite
short DNS TTL's, and various other requirements to avoid servers in
the same domain having their DNS expire.

Good luck with that: I deal with that kind of integration challenge a *lot*.

> Short of creating a single DNS entry and adding all possible IPs for
> my laptop, I am wondering if there's a way to configure OpenSSH
> (or Linux) to try multiple DNS names until a connection can be
> made. For extra bonus special points, this should obviously happen
> all at once to reduce wait times.

I've seen nothing, but had to deal with peculiar setups when people
start trying to "simplify" their DNS into one master zone and not
realizing the consequences of multiple A records. Don't get me
*started* on people who use multiple CNAME's for the same primary
hostname, pointing to multiple other A records or CNAME's!!! And do
*not* get me going on how people think that having multiple A records
will automatically load balance their traffic.

You might personally consider a wrapper, to process "nslookup" or
other DNS for your particular setup. But personally, I'd review the
concept of having identical hostnames in all environments. It can be
very helpful to deal with FQDN's and segregate your laptop's name in
the internal environment from its name in the external or other
environments.

> Assuming that this isn't currently possible — I did search and
> investigate — would this be a worthwhile feature to look into?
>
> Thanks,
>
> --
> @martinkrafft | http://madduck.net/ | http://two.sentenc.es/

It sounds intriguing. The basic C library funcitons are


More information about the openssh-unix-dev mailing list