ssh_config: Hostname with multiple IP addresses

Darren Tucker dtucker at dtucker.net
Tue Dec 15 11:31:30 AEDT 2020


On Tue, 15 Dec 2020 at 10:39, David Newall <openssh at davidnewall.com> wrote:

> > Say I had:
> >
> > Host foo
> > Hostname 192.168.2.2 192.168.2.3
> >
> > Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the
> > rest of the time?
>

When DNS returns multiple entries, ssh will try to connect to each in the
order that the system returns them.  For each entry, it'll try to connect
for ConnectTimeout seconds and if it doesn't work, it'll move onto the
next.  It'll use the first one that works.

I did a patch[0] a while back that would race nonblocking connections and
use the first one that connects, but that would have a disadvantage of
spamming logs with "connection closed" messages from the unused connections
in the general case, and was easy enough to implement in a ProxyCommand for
the cases that need it.

Maybe we could extend Host to accept (comma-separated?) lists, but then the
question would be what would the behaviour be in the case when each entry
is itself a hostname that might resolve to multiple addresses?

I find the man page unambiguous: HostName specifies the singular real
> host name to log into.  Alternatively, a singular IP address is permitted.
>
> I can see how "Numeric IP addresses are also permitted" could be
> construed as meaning multiple addresses on the one line, but, that's an
> incorrect reading.  It really means, IP addresses can be used in
> HostName entries.
>
> All of this fails to help the original question, which is how to specify
> multiple IP addresses.  The obvious answer to that is to put multiple A
> records into your local DNS.  If you don't have a local DNS or have no
> control over it, specify multiple Hosts in your config, one for each IP
> address.
>

As someone else mentioned, you can put multiple entries into /etc/hosts,
which will have the behaviour described above.

[0] https://marc.info/?l=openssh-unix-dev&m=148421494521398&w=2

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.


More information about the openssh-unix-dev mailing list