AW: AW: CanonicalHostname and ssh connections through a jumphost

Brian Candler b.candler at
Wed May 20 20:53:46 AEST 2020

On 20/05/2020 11:25, Warlich, Christof wrote:
> Ok, let me try to understand why you think this might be a circular 
> dependency.
> First, let’s complete your example:
> CanonicalizeHostname always
> CanonicalDomains
> Host *
> ProxyJump
> Currently, with this in place, when I do “ssh foo”, ssh tries to 
> resolve _/locally/_ and fails. It never looks at the 
> fact that, for the section “Host *”, a ProxyJump has been 
> defined. But, “CanonicalizeHostname always”, as opposed to 
> CanonicalizeHostname yes”, seems to be indicating that a special 
> treatment is performed  for proxied connections as described in the 
> ssh_config man-page:
> If CanonicalizeHostname is set to always, then canonicalization
> is applied to proxied connections too.

I think the full context is needed:

              Controls whether explicit hostname canonicalization is 
              The default, no, is not to perform any name rewriting and 
let the
              system resolver handle all hostname lookups.  If set to 
yes then,
              for connections that do not use a ProxyCommand or ProxyJump,
              ssh(1) will attempt to canonicalize the hostname specified 
on the
              command line using the CanonicalDomains suffixes and
              CanonicalizePermittedCNAMEs rules.  If CanonicalizeHostname is
              set to always, then canonicalization is applied to proxied 
              nections too.

The way I read this is:

1. *First* ssh decides which connection block the hostname matches (i.e. 
the Host xxx matching)

2. *Then* it performs canonicalization. It's performed if:
     (a) CanonicalizeHostname is "always"; or
     (b) CanonicalizeHostname is "yes" and there is no 
ProxyCommand/ProxyJump in the block

After canonicalization, it will match the blocks again:

              If this option is enabled, then the configuration files 
are pro‐
              cessed again using the new target name to pick up any new 
              uration in matching Host and Match stanzas.

> Thus, I would consider it to be reasonable behavior if ssh would (_if_ 
> CanonicalizeHostname is set to always) just _/use/_ the ProxyJump 
> command related to that section to test if the host is 
> resolvable (from within the subnet).
But in order to do that, I think it would have to establish an ssh 
connection to all the ProxyJump hosts in the config, until it hits on 
the right one.  Consider:

CanonicalizeHostname always

Host *

Host *

Host *

Given bareword hostname "qux", currently it won't match any of those 
Host patterns.  I think you're asking it to try all the ProxyJump 
commands in turn, until it happens on one which is able to resolve the 
name.  That would involve opening up ssh connections to all the 
ProxyJump hosts in turn.  If not, what would you expect it to do?

If that's what you want, Jö Fahlke gave a way to do that using Match ... 
host=... exec=...

Or to send all unqualified names to a single host:

Host !*.*  *



More information about the openssh-unix-dev mailing list