Am Di, 19. Mai 2020, 14:28:04 +0000 schrieb Warlich, Christof: > I want to be able to ssh to all internal hosts that live in the > internal.sub.domain.net, i.e. that are only accessible through the > internal.sub.domain.net jumphost without having to list each of these hosts > somewhere, as they may frequently be added or removed from the internal > domain and without being forced to always type their fully qualified > hostnames. Hi Christof, the question is: how do you want ssh to recognize that you are trying to connect to an internal host? Here are three suggestions (none of which I've tried to there may be syntax errors and the like): If you are fine with considering any unqualified hostname as internal, you can try something like this: | Host !*.* * | HostName %h.internal.sub.domain.net | ProxyJump internal.sub.domain.net (Perhaps add !localhost to the exclusion) If you are fine with specifying explicitly that you are going to ssh to something internal, I'd put the above into ~/.ssh/config.internal and use tha following shell alias (or put the equivalent into a shell script in e.g. ~/bin/): | alias issh='ssh -F ~/.ssh/config.internal' Beware that this will ignore the system-wide configuration file, so you may want to refine that trickery a bit. E.g. you can keep the configuration in the main config file, and use the alias to invoke ssh with a magic environment variable set, and make the configuration dependent on that environment variable using a Match block rather than a Host block. Finally, if a seperate command is not an option for you and you still want to connect to an unbounded set of non-internal unqualified hosts in addition to an unbounded set of internal unqualified hosts, you can try to determine whether a given host is internal like this: | Match host="!*.*,*" exec="ssh internal.sub.domain.net getent hosts %h.internal.sub.domain.net" | HostName %h.internal.sub.domain.net | ProxyJump internal.sub.domain.net Depending on how ssh orders evaluation of its Match conditions, you may need to move the matching of the host pattern into the exec as shell code to avoid infinite recursion. Beware that this may be subject to shell injection if you can't fully trust the hostname ssh is invoked with. Plus you have the overhead of an additional ssh connection for every unqualified host you connect to. Regards, Jö. --
Attachment:
signature.asc
Description: PGP signature
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
