AW: AW: AW: CanonicalHostname and ssh connections through a jumphost

Warlich, Christof christof.warlich at
Wed May 20 22:54:52 AEST 2020

Brian Candler <b.candler at>  wrote:
> I think the full context is needed:
>      CanonicalizeHostname
>              Controls whether explicit hostname canonicalization is performed.
>              The default, no, is not to perform any name rewriting and let the
>              system resolver handle all hostname lookups.  If set to yes then,
>              for connections that do not use a ProxyCommand or ProxyJump,
>              ssh(1) will attempt to canonicalize the hostname specified on the
>              command line using the CanonicalDomains suffixes and
>              CanonicalizePermittedCNAMEs rules.  If CanonicalizeHostname is
>              set to always, then canonicalization is applied to proxied con‐
>              nections too.
> The way I read this is:
> 1. *First* ssh decides which connection block the hostname matches (i.e. the Host xxx matching)
> 2. *Then* it performs canonicalization. It's performed if:
>     (a) CanonicalizeHostname is "always"; or
>     (b) CanonicalizeHostname is "yes" and there is no ProxyCommand/ProxyJump in the block
> After canonicalization, it will match the blocks again:
> If this option is enabled, then the configuration files are pro‐
> cessed again using the new target name to pick up any new config‐
> uration in matching Host and Match stanzas.
> Christof Warlich wrote:
> > Thus, I would consider it to be reasonable behavior if ssh would
> > (_if_ CanonicalizeHostname is set to always) just _use_ the
> >  ProxyJump command related to that section to test if the
> > host is resolvable (from within the subnet).
> But in order to do that, I think it would have to establish an ssh connection to all the ProxyJump hosts in the config, until it hits on the right one.  Consider:
> CanonicalizeHostname always
> Host *
>        ProxyJump
> Host *
>         ProxyJump
> Host *
>        ProxyJump
> Given bareword hostname "qux", currently it won't match any of those Host patterns.
> I think you're asking it to try all the ProxyJump commands in turn, until it happens on
> one which is able to resolve the name.  That would involve opening up ssh connections
> to all the ProxyJump hosts in turn.

Yes, that’s exactly what I am asking for _if_ CaninicalizeHostname is set to always. Wouldn’t
this be the most similar behavior to the “ordinary” case, where all domains are tried with the
qux hostname until one is found that has that host?

> If that's what you want, Jö Fahlke gave a way to do that using Match ... host=... exec=...
> Or to send all unqualified names to a single host:
> Host !*.*  *
>         ProxyJump
Yes, Jö Fahlke’s suggestions are definitely more than worth to be considered, especially as (or until - ��)
ssh cannot do what I would really would have liked it to do.

Finally, the difference between “CanonicalizeHostname yes” and “CanonicalizeHostname always”
is a miracle to me, and I would very much appreciate an example where using either of them
makes a difference.



More information about the openssh-unix-dev mailing list