ssh proxyJump doesn't look at /etc/hosts for fqdn

classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

ssh proxyJump doesn't look at /etc/hosts for fqdn

Solene Rapenne

ssh(1) doesn't seem to resolve a ProxyJump hostname using /etc/hosts when the
hostname is a fqdn.


I can repeat it correctly with the following cases:

Using a hostname which is not a fqdn, /etc/hosts is correctly read

~/.ssh/config

Host perso.pw
ProxyJump foobar

/etc/hosts contains
127.0.0.1 foobar

using ssh perso.pw will proxyjump on 127.0.0.1 correctly.

If I use a fqdn in my proxyjump, /etc/hosts doesn't seem to be read

Host perso.pw
ProxyJump google.fr

and /etc/hosts contains
127.0.0.1 google.fr

ssh will connect to google.fr IP


I use that case when I move to my workplace, I would like to uncomment an entry
in /etc/hosts to override the destination of all my proxyjump

Reply | Threaded
Open this post in threaded view
|

Re: ssh proxyJump doesn't look at /etc/hosts for fqdn

Klemens Nanni-2
On Tue, Dec 04, 2018 at 10:19:55AM +0100, Solene Rapenne wrote:
>
> ssh(1) doesn't seem to resolve a ProxyJump hostname using /etc/hosts when the
> hostname is a fqdn.
No comment (yet) on whether this should be changed or not, but a general
advise below.
 
> I use that case when I move to my workplace, I would like to uncomment an entry
> in /etc/hosts to override the destination of all my proxyjump
Editing hosts(5) each time you move sounds flawed/tedious.

How about this:

        # ~/.ssh/config
        Match exec ~/.ssh/work/at_office.sh
                Include work/config

        # ~/.ssh/work/config
        Host google.fr
                Hostname 127.0.0.1

I used to use the following at_office.sh to set work related settings
based on the fact whether I could recognise a certain host by its TLS
certificate reachable only from the office LAN:

        nc -cdvzw2 hostname service 2>&1 |
                grep -qxF 'Cert Hash: SHA256:b93f...'

`Match exec' is quite powerful in terms of dynamic configuration.

Reply | Threaded
Open this post in threaded view
|

Re: ssh proxyJump doesn't look at /etc/hosts for fqdn

Solene Rapenne
Klemens Nanni <[hidden email]> wrote:

> On Tue, Dec 04, 2018 at 10:19:55AM +0100, Solene Rapenne wrote:
> >
> > ssh(1) doesn't seem to resolve a ProxyJump hostname using /etc/hosts when the
> > hostname is a fqdn.
> No comment (yet) on whether this should be changed or not, but a general
> advise below.
>  
> > I use that case when I move to my workplace, I would like to uncomment an entry
> > in /etc/hosts to override the destination of all my proxyjump
> Editing hosts(5) each time you move sounds flawed/tedious.
>
> How about this:
>
> # ~/.ssh/config
> Match exec ~/.ssh/work/at_office.sh
> Include work/config
>
> # ~/.ssh/work/config
> Host google.fr
> Hostname 127.0.0.1
>
> I used to use the following at_office.sh to set work related settings
> based on the fact whether I could recognise a certain host by its TLS
> certificate reachable only from the office LAN:
>
> nc -cdvzw2 hostname service 2>&1 |
> grep -qxF 'Cert Hash: SHA256:b93f...'
>
> `Match exec' is quite powerful in terms of dynamic configuration.

indeed, due to this I found about "exec" in order to "fix" my problem, I use
the command "ping -c 1 -w1 %h" very effective, this works because the domains
names can't be resolved from outside.