Re: CanonicalHostname and ssh connections through a jumphost

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Am Di, 19. Mai 2020, 14:28:04 +0000 schrieb Warlich, Christof:
> I want to be able to ssh to all internal hosts that live in the
> internal.sub.domain.net, i.e. that are only accessible through the
> internal.sub.domain.net jumphost without having to list each of these hosts
> somewhere, as they may frequently be added or removed from the internal
> domain and without being forced to always type their fully qualified
> hostnames.

Hi Christof,

the question is: how do you want ssh to recognize that you are trying to
connect to an internal host?  Here are three suggestions (none of which I've
tried to there may be syntax errors and the like):

If you are fine with considering any unqualified hostname as internal, you can
try something like this:

| Host !*.* *
|         HostName %h.internal.sub.domain.net
|         ProxyJump internal.sub.domain.net

(Perhaps add !localhost to the exclusion)

If you are fine with specifying explicitly that you are going to ssh to
something internal, I'd put the above into ~/.ssh/config.internal and use tha
following shell alias (or put the equivalent into a shell script in
e.g. ~/bin/):

| alias issh='ssh -F ~/.ssh/config.internal'

Beware that this will ignore the system-wide configuration file, so you may
want to refine that trickery a bit.  E.g. you can keep the configuration in
the main config file, and use the alias to invoke ssh with a magic environment
variable set, and make the configuration dependent on that environment
variable using a Match block rather than a Host block.

Finally, if a seperate command is not an option for you and you still want to
connect to an unbounded set of non-internal unqualified hosts in addition to
an unbounded set of internal unqualified hosts, you can try to determine
whether a given host is internal like this:

| Match host="!*.*,*" exec="ssh internal.sub.domain.net getent hosts %h.internal.sub.domain.net"
|         HostName %h.internal.sub.domain.net
|         ProxyJump internal.sub.domain.net

Depending on how ssh orders evaluation of its Match conditions, you may need
to move the matching of the host pattern into the exec as shell code to avoid
infinite recursion.

Beware that this may be subject to shell injection if you can't fully trust
the hostname ssh is invoked with.  Plus you have the overhead of an additional
ssh connection for every unqualified host you connect to.

Regards,
Jö.

-- 

Attachment: signature.asc
Description: PGP signature

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux