AW: AW: CanonicalHostname and ssh connections through a jumphost
Brian Candler
b.candler at pobox.com
Wed May 20 20:53:46 AEST 2020
On 20/05/2020 11:25, Warlich, Christof wrote:
>
> Ok, let me try to understand why you think this might be a circular
> dependency.
>
> First, let’s complete your example:
>
> CanonicalizeHostname always
> CanonicalDomains example.com
>
> Host *.example.com
>
> ProxyJump proxy.example.com
>
> Currently, with this in place, when I do “ssh foo”, ssh tries to
> resolve foo.example.com _/locally/_ and fails. It never looks at the
> fact that, for the section “Host *.example.com”, a ProxyJump has been
> defined. But, “CanonicalizeHostname always”, as opposed to
> CanonicalizeHostname yes”, seems to be indicating that a special
> treatment is performed for proxied connections as described in the
> ssh_config man-page:
>
> If CanonicalizeHostname is set to always, then canonicalization
> is applied to proxied connections too.
>
I think the full context is needed:
CanonicalizeHostname
Controls whether explicit hostname canonicalization is
performed.
The default, no, is not to perform any name rewriting and
let the
system resolver handle all hostname lookups. If set to
yes then,
for connections that do not use a ProxyCommand or ProxyJump,
ssh(1) will attempt to canonicalize the hostname specified
on the
command line using the CanonicalDomains suffixes and
CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
set to always, then canonicalization is applied to proxied
con‐
nections too.
The way I read this is:
1. *First* ssh decides which connection block the hostname matches (i.e.
the Host xxx matching)
2. *Then* it performs canonicalization. It's performed if:
(a) CanonicalizeHostname is "always"; or
(b) CanonicalizeHostname is "yes" and there is no
ProxyCommand/ProxyJump in the block
After canonicalization, it will match the blocks again:
If this option is enabled, then the configuration files
are pro‐
cessed again using the new target name to pick up any new
config‐
uration in matching Host and Match stanzas.
> Thus, I would consider it to be reasonable behavior if ssh would (_if_
> CanonicalizeHostname is set to always) just _/use/_ the ProxyJump
> command related to that section to test if the foo.example.com host is
> resolvable (from within the example.com subnet).
>
But in order to do that, I think it would have to establish an ssh
connection to all the ProxyJump hosts in the config, until it hits on
the right one. Consider:
CanonicalizeHostname always
Host *.foo.com
ProxyJump proxy.foo.com
Host *.bar.com
ProxyJump proxy.bar.com
Host *.baz.com
ProxyJump proxy.baz.com
Given bareword hostname "qux", currently it won't match any of those
Host patterns. I think you're asking it to try all the ProxyJump
commands in turn, until it happens on one which is able to resolve the
name. That would involve opening up ssh connections to all the
ProxyJump hosts in turn. If not, what would you expect it to do?
If that's what you want, Jö Fahlke gave a way to do that using Match ...
host=... exec=...
Or to send all unqualified names to a single host:
Host !*.* *
ProxyJump blah.whatever.com
Regards,
Brian.
More information about the openssh-unix-dev
mailing list