On 20/05/2020 11:25, Warlich, Christof wrote:
Ok, let me try to understand why you think this might be a circular
dependency.
First, let’s complete your example:
CanonicalizeHostname always
CanonicalDomains example.com
Host *.example.com
ProxyJump proxy.example.com
Currently, with this in place, when I do “ssh foo”, ssh tries to
resolve foo.example.com _/locally/_ and fails. It never looks at the
fact that, for the section “Host *.example.com”, a ProxyJump has been
defined. But, “CanonicalizeHostname always”, as opposed to
CanonicalizeHostname yes”, seems to be indicating that a special
treatment is performed for proxied connections as described in the
ssh_config man-page:
If CanonicalizeHostname is set to always, then canonicalization
is applied to proxied connections too.
I think the full context is needed:
CanonicalizeHostname
Controls whether explicit hostname canonicalization is
performed.
The default, no, is not to perform any name rewriting and
let the
system resolver handle all hostname lookups. If set to
yes then,
for connections that do not use a ProxyCommand or ProxyJump,
ssh(1) will attempt to canonicalize the hostname specified
on the
command line using the CanonicalDomains suffixes and
CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
set to always, then canonicalization is applied to proxied
con‐
nections too.
The way I read this is:
1. *First* ssh decides which connection block the hostname matches (i.e.
the Host xxx matching)
2. *Then* it performs canonicalization. It's performed if:
(a) CanonicalizeHostname is "always"; or
(b) CanonicalizeHostname is "yes" and there is no
ProxyCommand/ProxyJump in the block
After canonicalization, it will match the blocks again:
If this option is enabled, then the configuration files
are pro‐
cessed again using the new target name to pick up any new
config‐
uration in matching Host and Match stanzas.
Thus, I would consider it to be reasonable behavior if ssh would (_if_
CanonicalizeHostname is set to always) just _/use/_ the ProxyJump
command related to that section to test if the foo.example.com host is
resolvable (from within the example.com subnet).
But in order to do that, I think it would have to establish an ssh
connection to all the ProxyJump hosts in the config, until it hits on
the right one. Consider:
CanonicalizeHostname always
Host *.foo.com
ProxyJump proxy.foo.com
Host *.bar.com
ProxyJump proxy.bar.com
Host *.baz.com
ProxyJump proxy.baz.com
Given bareword hostname "qux", currently it won't match any of those
Host patterns. I think you're asking it to try all the ProxyJump
commands in turn, until it happens on one which is able to resolve the
name. That would involve opening up ssh connections to all the
ProxyJump hosts in turn. If not, what would you expect it to do?
If that's what you want, Jö Fahlke gave a way to do that using Match ...
host=... exec=...
Or to send all unqualified names to a single host:
Host !*.* *
ProxyJump blah.whatever.com
Regards,
Brian.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
