CanonicalHostname and ssh connections through a jumphost

Jö Fahlke jorrit at jorrit.de
Wed May 20 17:51:55 AEST 2020 

Am Di, 19. Mai 2020, 14:28:04 +0000 schrieb Warlich, Christof:
> I want to be able to ssh to all internal hosts that live in the
> internal.sub.domain.net, i.e. that are only accessible through the
> internal.sub.domain.net jumphost without having to list each of these hosts
> somewhere, as they may frequently be added or removed from the internal
> domain and without being forced to always type their fully qualified
> hostnames.

Hi Christof,

the question is: how do you want ssh to recognize that you are trying to
connect to an internal host?  Here are three suggestions (none of which I've
tried to there may be syntax errors and the like):

If you are fine with considering any unqualified hostname as internal, you can
try something like this:

| Host !*.* *
|         HostName %h.internal.sub.domain.net
|         ProxyJump internal.sub.domain.net

(Perhaps add !localhost to the exclusion)

If you are fine with specifying explicitly that you are going to ssh to
something internal, I'd put the above into ~/.ssh/config.internal and use tha
following shell alias (or put the equivalent into a shell script in
e.g. ~/bin/):

| alias issh='ssh -F ~/.ssh/config.internal'

Beware that this will ignore the system-wide configuration file, so you may
want to refine that trickery a bit.  E.g. you can keep the configuration in
the main config file, and use the alias to invoke ssh with a magic environment
variable set, and make the configuration dependent on that environment
variable using a Match block rather than a Host block.

Finally, if a seperate command is not an option for you and you still want to
connect to an unbounded set of non-internal unqualified hosts in addition to
an unbounded set of internal unqualified hosts, you can try to determine
whether a given host is internal like this:

| Match host="!*.*,*" exec="ssh internal.sub.domain.net getent hosts %h.internal.sub.domain.net"
|         HostName %h.internal.sub.domain.net
|         ProxyJump internal.sub.domain.net

Depending on how ssh orders evaluation of its Match conditions, you may need
to move the matching of the host pattern into the exec as shell code to avoid
infinite recursion.

Beware that this may be subject to shell injection if you can't fully trust
the hostname ssh is invoked with.  Plus you have the overhead of an additional
ssh connection for every unqualified host you connect to.

Regards,
Jö.

-- 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 833 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20200520/78e567b3/attachment-0001.asc>

More information about the openssh-unix-dev mailing list