CanonicalHostname and ssh connections through a jumphost

Question

Say I have an internal subdomain named internal.sub.domain.net with hosts like foo.internal.sub.domain.net and bar.internal.sub.domain.net. Furthermore, these hosts are only accessible from the outside world through the jumphost internal.sub.domain.net. Thus, the following ~/.ssh/config allows me to directly connect to either of the internal hosts from outside:

Host foo bar
        HostName %h.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

This is fine for a subdomain with just only a couple of hosts, but it quickly becomes rather unmaintainable if the number of hosts is large and / or changes occasionally. But wildcards may come to the rescue:

Host *.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

This avoids the maintenance issue, but forces to always specify the fully qualified hostname to connect, which is rather tedious. From looking at the ssh_config man-page, the CannonicalizeHostname and CannonicalDomains options seems to fix that:

CannonicalizeHostname always
CannonicalDomains internal.sub.domain.net
Host *.internal.sub.domain.net
        ProxyJump internal.sub.domain.net

But this would only work if the name lookup for the host that is to be connected succeeds. But as these hosts are internal by definition, it is no surprise that name resolution fails.

A not really helpful but very illustrative hack is to fake successful name resolutions by just adding all the internal hosts as aliases for e.g. 127.0.0.1 to /etc/hosts, i.e. adding the following line to /etc/hosts:

127.0.0.1 foo.internal.sub.domain.net bar.internal.sub.domain.net

With that line in place, the last ~/.ssh/config works like a charm. But apart from the fact that this would be quite a hack, it just only shifts the maintenance issue form ~/.ssh/config to /etc/hosts.

As the described scenario should not be so uncommon, is there a way to make it work? To phrase it in one sentence again:

I want to be able to ssh to all internal hosts that live in the internal.sub.domain.net, i.e. that are only accessible through the internal.sub.domain.net jumphost without having to list each of these hosts somewhere, as they may frequently be added or removed from the internal domain and without being forced to always type their fully qualified hostnames.

Answer 1

If you are invoking ssh from a shell, you could define a short variable for the internal domain and append that to the relevant hostnames:

e.g. in your ~/.bashrc or similar:

i=".internal.sub.domain.net"

Then, on the command line:

ssh foo$i
ssh bar$i

At least until a better solution comes along. It's not perfect but it's only 2 extra characters on the command line.

Update: A better solution has come along.

A better solution, by Peter Stuge on the openssh mailing list, is to have something like this in your config file:

Host *.i
    ProxyCommand ssh -W %hnternal.sub.domain.net:%p jumphost

This enables the use of abbreviated hostnames like foo.i (rather than foo$i in my first answer). Being able to use . rather than $ is better because it doesn't require the use of the shift key.

However, this is limited to a single remote jumphost whose internal domain starts with i. I think that internal domains that start with internal. are common. If you need to connect to multiple such internal domains, the above needs a slight (but very ugly) tweak. I apologize in advance if anyone's eyes start to bleed.

For example, if you need to connect to these internal domains:

internal.a.com
internal.b.net

Then the above needs to be changed to something like this:

Host *.a
    ProxyCommand sh -c "H=%h; exec sh -c \"exec ssh -W \${H%%.a}.internal.a.com:%p jumphosta\""

Host *.b
    ProxyCommand sh -c "H=%h; exec sh -c \"exec ssh -W \${H%%.b}.internal.b.net:%p jumphostb\""

Believe me, I wish it could be simpler but that's the shortest thing that I could get to work (without using a separate shell script or environment variables).

If a username is supplied on the command line, it only applies to the jumped-to host. Your local username will be used by default for the jumphost.

If you need to use a username for the jumphost that isn't the same as your local username, add it in the ProxyCommand (e.g. jumpuser@jumphosta).