1

My company has three separate jump hosts. Something like: jump1.example.com, jump2.example.com, and jump3.example.com

All internal servers must be accessed through these jumphosts:

local ---> jump1.example.com ---> internal.example.com

We have lots of internal servers, so to simplify I created a config file like so:

.ssh/config:

Host jump1.example.com jump2.example.com jump3.example.com
    ForwardAgent yes
    ProxyCommand none

Host *.example.com
    PubkeyAuthentication yes
    User sbarnett
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    ProxyCommand ssh -q -W %h:%p jump1.example.com

Note that my public key is located on every one of these machines, so this setup works perfectly. I can type ssh internal.example.com and it will properly proxy through jump1.example.com and connect with my private key

Here's what I want to do, though: Instead of typing jump1.example.com or internal.example.com, I'd like to just type ssh jump1 or ssh internal

I know that this can be configured per host like so:

Host internal
    HostName internal.example.com
    PubkeyAuthentication yes
    User sbarnett
    IdentityFile ~/.ssh/id_rsa
    IdentitiesOnly yes
    ProxyCommand ssh -q -W %h:%p jump1.example.com

However if I try the much simpler:

Host internal
    HostName internal.example.com

Then my generic config options (under *.example.com) are not loaded when I try to use ssh internal -- so it doesn't use the proxy and doesn't use the identity file, preventing me from connecting.

Is there a way to say "if the host name is *.example.com (not necessarily the host) then apply these settings"?

Bonus points for a way to redirect * to *.example.com if and only if * does not exist (e.g. - when connecting to git@github.com I don't want it to redirect to git@github.com.example.com)

stevendesu
  • 113
  • 9

1 Answers1

3

The option you're looking for is CanonicalizeHostname.

If you add these to the top of your .ssh/config, ssh internal will try to dns resolve your entry speculatively as internal.example.com, and if successful, it will process it matching Host *.example.com. The CanonicalDomains line can have multiple entries that are tried in order.

CanonicalDomains example.com
CanonicalizeHostname yes
Andrew Domaszek
  • 5,163
  • 1
  • 15
  • 27
  • So this seemed to half-work, with two weird quirks. First, after canonicalizing a host, it seemed to ignore some of my settings. I tried `ssh jump1` and it connected, but asked for a password (even though `ssh jump1.example.com` uses my private key). Second, it only seemed to canonicalize hosts without dots in them. I tried `ssh internal.server.1` and instead of connecting to `internal.server.1.example.com` it just failed, saying "Could not resolve hostname" – stevendesu Jul 18 '18 at 19:45
  • Doing some googling I found out I can fix the second issue with `CanonicalizeMaxDots X` (I used X = 3). Although it's still not using my private key to connect when I use the canonical domain – stevendesu Jul 18 '18 at 19:52
  • Might try with CanonicalizeHostname set to `always`. – Andrew Domaszek Jul 18 '18 at 20:00
  • 1
    Actually, you can ignore the other issue I had. I just discovered a stray `Host *\nPubkeyAuthentication no` in my ssh config (which was being overridden by `Host *.example.com\nPubkeyAuthentication yes` above). Ripped that out and it's now properly using my private key. – stevendesu Jul 18 '18 at 20:01
  • Wishing I could give a +2 to an answer. In just the last week this trick has saved me ***soooooooo*** much time and headache. I never even realized how much time was spent typing `.example.com` 86 times a day – stevendesu Jul 24 '18 at 16:18