CanonicalHostname and ssh connections through a jumphost

Peter Stuge peter at stuge.se
Sat May 23 02:09:18 AEST 2020


Hi Christof,

Warlich, Christof wrote:
> Instead of just trying to resolve one in the list of potential fully
> qualified hostnames locally (which cannot work as the host is only known
> in some remote subnet accessible through the ProxyJump command), the
> command defined in ProxyJump should be used to resolve the fully
> qualified hostname in that remote subnet.

Please compare the ProxyJump and ProxyCommand options.

Note that ProxyJump is shorthand for one particular (common) ProxyCommand
pattern, and also note that ProxyCommand has rather limited semantics -
nothing that allows explicit name resolution other than the one-shot
attempt to connect to a destination, and waiting for success or timeout.

My point is that neither ProxyJump nor ProxyCommand describe a command
that executes remotely, they both result in an extra command being
executed locally, on the initial client.

That command (ssh -W) instructs the jumphost sshd to connect to the given
destination by way of a "direct-tcpip" channel, and the destination sent
in that CHANNEL_OPEN request is either what the user typed in the original
client command or a configured HostName.


I hope this helps.

//Peter


More information about the openssh-unix-dev mailing list