1

My company has three separate jump hosts. Something like: jump1.example.com, jump2.example.com, and jump3.example.com

All internal servers must be accessed through these jumphosts:

local ---> jump1.example.com ---> internal.example.com

We have lots of internal servers, so to simplify I created a config file like so:

.ssh/config:

Host jump1.example.com jump2.example.com jump3.example.com ForwardAgent yes ProxyCommand none Host *.example.com PubkeyAuthentication yes User sbarnett IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes ProxyCommand ssh -q -W %h:%p jump1.example.com

Note that my public key is located on every one of these machines, so this setup works perfectly. I can type ssh internal.example.com and it will properly proxy through jump1.example.com and connect with my private key

Here's what I want to do, though: Instead of typing jump1.example.com or internal.example.com, I'd like to just type ssh jump1 or ssh internal

I know that this can be configured per host like so:

Host internal HostName internal.example.com PubkeyAuthentication yes User sbarnett IdentityFile ~/.ssh/id_rsa IdentitiesOnly yes ProxyCommand ssh -q -W %h:%p jump1.example.com

However if I try the much simpler:

Host internal HostName internal.example.com

Then my generic config options (under *.example.com) are not loaded when I try to use ssh internal -- so it doesn't use the proxy and doesn't use the identity file, preventing me from connecting.

Is there a way to say "if the host name is *.example.com (not necessarily the host) then apply these settings"?

Bonus points for a way to redirect * to *.example.com if and only if * does not exist (e.g. - when connecting to [email protected] I don't want it to redirect to [email protected])

Improve this question

1 Answer 1

Reset to default
3

The option you're looking for is CanonicalizeHostname.

If you add these to the top of your .ssh/config, ssh internal will try to dns resolve your entry speculatively as internal.example.com, and if successful, it will process it matching Host *.example.com. The CanonicalDomains line can have multiple entries that are tried in order.

CanonicalDomains example.com CanonicalizeHostname yes
Improve this answer
5
  • So this seemed to half-work, with two weird quirks. First, after canonicalizing a host, it seemed to ignore some of my settings. I tried ssh jump1 and it connected, but asked for a password (even though ssh jump1.example.com uses my private key). Second, it only seemed to canonicalize hosts without dots in them. I tried ssh internal.server.1 and instead of connecting to internal.server.1.example.com it just failed, saying "Could not resolve hostname" Commented Jul 18, 2018 at 19:45
  • Doing some googling I found out I can fix the second issue with CanonicalizeMaxDots X (I used X = 3). Although it's still not using my private key to connect when I use the canonical domain Commented Jul 18, 2018 at 19:52
  • Might try with CanonicalizeHostname set to always. Commented Jul 18, 2018 at 20:00
  • 1
    Actually, you can ignore the other issue I had. I just discovered a stray Host *\nPubkeyAuthentication no in my ssh config (which was being overridden by Host *.example.com\nPubkeyAuthentication yes above). Ripped that out and it's now properly using my private key. Commented Jul 18, 2018 at 20:01
  • Wishing I could give a +2 to an answer. In just the last week this trick has saved me soooooooo much time and headache. I never even realized how much time was spent typing .example.com 86 times a day Commented Jul 24, 2018 at 16:18

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.