Dealing with roaming machines

Dan Kaminsky dan at doxpara.com
Wed Dec 24 06:52:49 EST 2014


That's a good point. DHCP allows you to set DNS search parameters. So as
long as each location sets different search, "ssh fishbowl" will in fact
resolve to the proper local FQDN.

On Monday, December 22, 2014, Nico Kadel-Garcia <nkadel at gmail.com> wrote:

> On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft <madduck at madduck.net
> <javascript:;>> wrote:
> > Hey folks,
> >
> > As most of everyone, I use OpenSSH for almost everything and
> > whenever I can: backups, sync, Git, configuration management, and of
> > course console sessions. So much for an intro ;)
> >
> > My laptop and I roam between three networks, though sometimes
> > I leave the laptop at the office overnight, or hop over to the third
> > site for an hour or two.
> >
> > I'd like to find a way to configure OpenSSH (or Linux in general) to
> > try the other networks if the machine cannot be found locally.
> > Unfortunately, DNS "search" in /etc/resolv.conf and
> > CanonicalizeHostname in ssh_config both don't work since they only
> > iterate the network DNS zones until a record is found, and my laptop
> > has an entry in all three zones.
>
> The problem, I think, isn't that you have an entry in all three. It's
> that you have a *shortened* hostname that is identical in all 3 DNS
> domains. If your DNS admins have gracefully set the local environments
> to each be on their own subdomain, and that subdomain is *first* in
> DHCP configured DNS, you should be golden.
>
>     laptop.internal.domain.com # when inside the building,
> internaldomain.domain.com is first, then domain.com
>     laptop.vpn.domain.com  # when VPN connected, vpn.domain.com is
> first, then domain.com
>     laptop.machineroom.domain.com
>
> It's extra work in DNS and security policies to do this, especially if
> you're using dynamic DNS through AD. If instead, your admins have set
> up all these environments to share "domain.com", well, then you start
> getting into DNS "views" for a small domain called "laptop.domain.com"
> and different DNS "views" in each envirornment. Then you need quite
> short DNS TTL's, and various other requirements to avoid servers in
> the same domain having their DNS expire.
>
> Good luck with that: I deal with that kind of integration challenge a
> *lot*.
>
> > Short of creating a single DNS entry and adding all possible IPs for
> > my laptop, I am wondering if there's a way to configure OpenSSH
> > (or Linux) to try multiple DNS names until a connection can be
> > made. For extra bonus special points, this should obviously happen
> > all at once to reduce wait times.
>
> I've seen nothing, but had to deal with peculiar setups when people
> start trying to "simplify" their DNS into one master zone and not
> realizing the consequences of multiple A records. Don't get me
> *started* on people who use multiple CNAME's for the same primary
> hostname, pointing to multiple other A records or CNAME's!!! And do
> *not* get me going on how people think that having multiple A records
> will automatically load balance their traffic.
>
> You might personally consider a wrapper, to process "nslookup" or
> other DNS for your particular setup. But personally, I'd review the
> concept of having identical hostnames in all environments. It can be
> very helpful to deal with FQDN's and segregate your laptop's name in
> the internal environment from its name in the external or other
> environments.
>
> > Assuming that this isn't currently possible — I did search and
> > investigate — would this be a worthwhile feature to look into?
> >
> > Thanks,
> >
> > --
> > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/
>
> It sounds intriguing. The basic C library funcitons are
> _______________________________________________
> openssh-unix-dev mailing list
> openssh-unix-dev at mindrot.org <javascript:;>
> https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
>


More information about the openssh-unix-dev mailing list