AW: AW: CanonicalHostname and ssh connections through a jumphost

Warlich, Christof christof.warlich at
Wed May 20 20:25:20 AEST 2020

Brian Candler <b.candler at> wrote:

> host *
>   ProxyJump

> The argument would be the same.  If you try to ssh to an unqualified
> host like "foo", then you don't know that it might be resolvable via
> the given ProxyJump host until you first know that it matches
> * - a circular dependency.

Ok, let me try to understand why you think this might be a circular dependency.

First, let's complete your example:

CanonicalizeHostname always

Host *


Currently, with this in place, when I do "ssh foo", ssh tries to resolve _locally_ and fails. It never looks at the fact that, for the section "Host *", a ProxyJump has been defined. But, "CanonicalizeHostname always", as opposed to CanonicalizeHostname yes", seems to be indicating that a special treatment is performed  for proxied connections as described in the ssh_config man-page:

If CanonicalizeHostname is set to always, then canonicalization
is applied to proxied connections too.

Thus, I would consider it to be reasonable behavior if ssh would (_if_ CanonicalizeHostname is set to always) just _use_ the ProxyJump command related to that section to test if the host is resolvable (from within the subnet).



More information about the openssh-unix-dev mailing list