CanonicalHostname and ssh connections through a jumphost

Wed May 20 00:28:04 AEST 2020

Hi,

I have a question w.r.t. OpenSSH that I've posted to Stackoverflow:

https://stackoverflow.com/questions/61723825/canonicalhostname-and-ssh-connections-through-a-jumphost

Is it appropriate to ask here by posting the link? IMHO, the formatting capabilities there make it easier to read, but just in case, I've amended the question below as well ��.

Many thanks for any help,

Chris

Say I have an internal subdomain named internal.sub.domain.net with hosts like foo.internal.sub.domain.net and bar.internal.sub.domain.net. Furthermore, these hosts are only accessible from the outside world through the jumphost internal.sub.domain.net. Thus, the following ~/.ssh/config allows me to directly connect to either of the internal hosts from outside:

Host foo bar
        HostName %h.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

This is fine for a subdomain with just only a couple of hosts, but it quickly becomes rather unmaintainable if the number of hosts is large and / or changes occasionally. But wildcards may come to the rescue:

Host *.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

This avoids the maintenance issue, but forces to always specify the fully qualified hostname to connect, which is rather tedious. From looking at the ssh_config man-page, the CannonicalizeHostname and CannonicalDomains options seems to fix that:

CannonicalizeHostname always
CannonicalDomains internal.sub.domain.net Host *.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

But this would only work if the name lookup for the host that is to be connected succeeds. But as these hosts are internal by definition, it is no surprise that name resolution fails.

A not really helpful but very illustrative hack is to fake successful name resolutions by just adding all the internal hosts as aliases for e.g. 127.0.0.1 to /etc/hosts, i.e. adding the following line to /etc/hosts:

127.0.0.1 foo.internal.sub.domain.net bar.internal.sub.domain.net

With that line in place, the last ~/.ssh/config works like a charm. But apart from the fact that this would be quite a hack, it just only shifts the maintenance issue form ~/.ssh/config to /etc/hosts.

As the described scenario should not be so uncommon, is there a way to make it work? To phrase it in one sentence again:

I want to be able to ssh to all internal hosts that live in the internal.sub.domain.net, i.e. that are only accessible through the internal.sub.domain.net jumphost without having to list each of these hosts somewhere, as they may frequently be added or removed from the internal domain and without being forced to always type their fully qualified hostnames.