AW: CanonicalHostname and ssh connections through a jumphost

Warlich, Christof christof.warlich at siemens.com
Wed May 20 18:58:27 AEST 2020 

Hi Brian,

Brian Candler wrote:
> On 20/05/2020 08:11, Warlich, Christof wrote:
> > Instead of just trying to resolve one in the list of potential fully
> > qualified hostnames locally (which cannot work as the host is only
> > known in some remote subnet accessible through the ProxyJump command),
> > the command  defined in ProxyJump should be used to resolve the fully qualified hostname in that remote subnet.
>
> That sounds like a chicken-and-egg situation. You have:
>
> host *.example.com
>    ProxyJump blah
>
> but you don't know that you should use this entry until you know that the unqualified name can be qualified to *.example.com.
>
> ISTM that if you want the ProxyJump host to work that way, you'd have to try every ProxyJump entry in the file, and ask them in turn to resolve the name until you find one that works.

This seems to be a misunderstanding: Yes, there would be a chicken-egg situation if the ProxyJump command would only know an unqualified hostname, like "blah" in your example. But that's not what I'm heading for: To recap a part from my initial post on that topic, I am thinking of an ssh config like this:

        CannonicalizeHostname always
        CannonicalDomains internal.sub.domain.net
        Host *.internal.sub.domain.net
                        ProxyJump internal.sub.domain.net

        But this would only work if the name lookup for the host that is to be connected succeeds.
        But as these hosts are internal by definition, it is no surprise that name resolution fails.

        A not really helpful but very illustrative hack is to fake successful name resolutions by just
        adding all the internal hosts as aliases for e.g. 127.0.0.1 to /etc/hosts, i.e. adding the following
        line to /etc/hosts:

        127.0.0.1 foo.internal.sub.domain.net bar.internal.sub.domain.net

        With that line in place, the last ~/.ssh/config works like a charm. But apart from the fact that
        this would be quite a hack, it just only shifts the maintenance issue form ~/.ssh/config to /etc/hosts.

As can be seen, there was no intent or reason to have an unqualified hostname in ProxyJump. Instead, say there is an internal host named foo (i.e. foo.internal.sub.domain.net), I want to be able to ssh to it by just typing "ssh foo", which currently does not work because ssh tries to resolve foo.internal.sub.domain.net _locally_, where is not known by definition, instead of using the "directions" given in ProxyJump.

More information about the openssh-unix-dev mailing list