Hi We are using multiplexing which works well in most cases. However we have run into a case where the '%C' token for ControlPath isn't unique enough. %C is a hash of: %l The local hostname, including the domain name. %h The remote hostname. %p The remote port. %r The remote username. We have a number of different environments that each have their own jumphost, which is used to reach a number of backend hosts. The SSH config such an environment looks like this: Host customer1-jumphost Hostname 3.25.90.121 User admin # Backend Host customer1-acc-web1 Hostname 10.0.1.55 User admin ProxyJump customer1-jumphost Host customer1-acc-web2 Hostname 10.0.1.57 User admin ProxyJump customer1-jumphost Host customer1-prod-web1 Hostname 10.0.1.39 User admin ProxyJump customer1-jumphost Host customer1-prod-web2 Hostname 10.0.1.39 User admin ProxyJump customer1-jumphost We have a number of them, so the second one: Host customer2-jumphost Hostname 3.132.66.18 User admin # Backend Host customer2-acc-web1 Hostname 10.0.1.12 User admin ProxyJump customer2-jumphost Host customer2-acc-web2 Hostname 10.0.1.14 User admin ProxyJump customer2-jumphost Host customer2-prod-web1 Hostname 10.0.1.44 User admin ProxyJump customer2-jumphost Host customer2-prod-web2 Hostname 10.0.1.47 User admin ProxyJump customer2-jumphost The backend nodes are assigned random IP addresses but from static pools, so it is quite common that the same backend IP exists for different customers. This is when things start to break as all the four components that are used to create the %C hash are the same, so ssh-ing to one host will actually sign you in to different host. I've experimented a bit with combinations of other tokens but then I eventually run into file system issues with the path being invalid or too long. This is what the hashing concept of %C was meant to address, but it's static token composition can be limiting. In my case, adding %n (The original remote hostname, as given on the command line) to the hash would fix things. A configuration option that defines the tokens to be included in the hash would be ideal. Something like "ControlPathHashTokens" which would default to the current set of %l%h%p%r. Is it worth submitting this as an enhancement to the bugtracker? thx -- Dick Visser Trust & Identity Service Operations Manager GÉANT _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev