Brian Candler <b.candler@xxxxxxxxx> wrote: > > host *.example.com > ProxyJump proxy.example.com > > The argument would be the same. If you try to ssh to an unqualified > host like "foo", then you don't know that it might be resolvable via > the given ProxyJump host until you first know that it matches > *.example.com - a circular dependency. Ok, let me try to understand why you think this might be a circular dependency. First, let's complete your example: CanonicalizeHostname always CanonicalDomains example.com Host *.example.com ProxyJump proxy.example.com Currently, with this in place, when I do "ssh foo", ssh tries to resolve foo.example.com _locally_ and fails. It never looks at the fact that, for the section "Host *.example.com", a ProxyJump has been defined. But, "CanonicalizeHostname always", as opposed to CanonicalizeHostname yes", seems to be indicating that a special treatment is performed for proxied connections as described in the ssh_config man-page: If CanonicalizeHostname is set to always, then canonicalization is applied to proxied connections too. Thus, I would consider it to be reasonable behavior if ssh would (_if_ CanonicalizeHostname is set to always) just _use_ the ProxyJump command related to that section to test if the foo.example.com host is resolvable (from within the example.com subnet). Cheers, Chris _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
