CanonicalHostname and ssh connections through a jumphost

Warlich, Christof christof.warlich at
Wed May 20 00:28:04 AEST 2020


I have a question w.r.t. OpenSSH that I've posted to Stackoverflow:

Is it appropriate to ask here by posting the link? IMHO, the formatting capabilities there make it easier to read, but just in case, I've amended the question below as well ��.

Many thanks for any help,


Say I have an internal subdomain named with hosts like and Furthermore, these hosts are only accessible from the outside world through the jumphost Thus, the following ~/.ssh/config allows me to directly connect to either of the internal hosts from outside:

Host foo bar

This is fine for a subdomain with just only a couple of hosts, but it quickly becomes rather unmaintainable if the number of hosts is large and / or changes occasionally. But wildcards may come to the rescue:

Host *

This avoids the maintenance issue, but forces to always specify the fully qualified hostname to connect, which is rather tedious. From looking at the ssh_config man-page, the CannonicalizeHostname and CannonicalDomains options seems to fix that:

CannonicalizeHostname always
CannonicalDomains Host *

But this would only work if the name lookup for the host that is to be connected succeeds. But as these hosts are internal by definition, it is no surprise that name resolution fails.

A not really helpful but very illustrative hack is to fake successful name resolutions by just adding all the internal hosts as aliases for e.g. to /etc/hosts, i.e. adding the following line to /etc/hosts:

With that line in place, the last ~/.ssh/config works like a charm. But apart from the fact that this would be quite a hack, it just only shifts the maintenance issue form ~/.ssh/config to /etc/hosts.

As the described scenario should not be so uncommon, is there a way to make it work? To phrase it in one sentence again:

I want to be able to ssh to all internal hosts that live in the, i.e. that are only accessible through the jumphost without having to list each of these hosts somewhere, as they may frequently be added or removed from the internal domain and without being forced to always type their fully qualified hostnames.

More information about the openssh-unix-dev mailing list