Hey folks, As most of everyone, I use OpenSSH for almost everything and whenever I can: backups, sync, Git, configuration management, and of course console sessions. So much for an intro ;) My laptop and I roam between three networks, though sometimes I leave the laptop at the office overnight, or hop over to the third site for an hour or two. I'd like to find a way to configure OpenSSH (or Linux in general) to try the other networks if the machine cannot be found locally. Unfortunately, DNS "search" in /etc/resolv.conf and CanonicalizeHostname in ssh_config both don't work since they only iterate the network DNS zones until a record is found, and my laptop has an entry in all three zones. Short of creating a single DNS entry and adding all possible IPs for my laptop, I am wondering if there's a way to configure OpenSSH (or Linux) to try multiple DNS names until a connection can be made. For extra bonus special points, this should obviously happen all at once to reduce wait times. Assuming that this isn't currently possible ? I did search and investigate ? would this be a worthwhile feature to look into? Thanks, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ for years, we have thought that a million monkeys typing at a million typewriters would eventually produce the complete works of shakespeare. today, thanks to the internet, we know this is not true. spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141222/56915687/attachment.bin>
On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft <madduck at madduck.net> wrote:> Hey folks, > > As most of everyone, I use OpenSSH for almost everything and > whenever I can: backups, sync, Git, configuration management, and of > course console sessions. So much for an intro ;) > > My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally. > Unfortunately, DNS "search" in /etc/resolv.conf and > CanonicalizeHostname in ssh_config both don't work since they only > iterate the network DNS zones until a record is found, and my laptop > has an entry in all three zones.The problem, I think, isn't that you have an entry in all three. It's that you have a *shortened* hostname that is identical in all 3 DNS domains. If your DNS admins have gracefully set the local environments to each be on their own subdomain, and that subdomain is *first* in DHCP configured DNS, you should be golden. laptop.internal.domain.com # when inside the building, internaldomain.domain.com is first, then domain.com laptop.vpn.domain.com # when VPN connected, vpn.domain.com is first, then domain.com laptop.machineroom.domain.com It's extra work in DNS and security policies to do this, especially if you're using dynamic DNS through AD. If instead, your admins have set up all these environments to share "domain.com", well, then you start getting into DNS "views" for a small domain called "laptop.domain.com" and different DNS "views" in each envirornment. Then you need quite short DNS TTL's, and various other requirements to avoid servers in the same domain having their DNS expire. Good luck with that: I deal with that kind of integration challenge a *lot*.> Short of creating a single DNS entry and adding all possible IPs for > my laptop, I am wondering if there's a way to configure OpenSSH > (or Linux) to try multiple DNS names until a connection can be > made. For extra bonus special points, this should obviously happen > all at once to reduce wait times.I've seen nothing, but had to deal with peculiar setups when people start trying to "simplify" their DNS into one master zone and not realizing the consequences of multiple A records. Don't get me *started* on people who use multiple CNAME's for the same primary hostname, pointing to multiple other A records or CNAME's!!! And do *not* get me going on how people think that having multiple A records will automatically load balance their traffic. You might personally consider a wrapper, to process "nslookup" or other DNS for your particular setup. But personally, I'd review the concept of having identical hostnames in all environments. It can be very helpful to deal with FQDN's and segregate your laptop's name in the internal environment from its name in the external or other environments.> Assuming that this isn't currently possible ? I did search and > investigate ? would this be a worthwhile feature to look into? > > Thanks, > > -- > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/It sounds intriguing. The basic C library funcitons are
Generally the way people manage mobility like this is to have a client on the mobile device that updates the DNS entry, which otherwise has a small TTL. The laptop is in the position to have onwakeup events, to interrogate its environment, and to make the required changes. There's any number of ways to implement this, from Dynamic DNS to scripted ssh into a name server to some funky "if this then that" Node thing. On Monday, December 22, 2014, martin f krafft <madduck at madduck.net> wrote:> Hey folks, > > As most of everyone, I use OpenSSH for almost everything and > whenever I can: backups, sync, Git, configuration management, and of > course console sessions. So much for an intro ;) > > My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally. > Unfortunately, DNS "search" in /etc/resolv.conf and > CanonicalizeHostname in ssh_config both don't work since they only > iterate the network DNS zones until a record is found, and my laptop > has an entry in all three zones. > > Short of creating a single DNS entry and adding all possible IPs for > my laptop, I am wondering if there's a way to configure OpenSSH > (or Linux) to try multiple DNS names until a connection can be > made. For extra bonus special points, this should obviously happen > all at once to reduce wait times. > > Assuming that this isn't currently possible ? I did search and > investigate ? would this be a worthwhile feature to look into? > > Thanks, > > -- > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ > > for years, we have thought that a million monkeys typing at a million > typewriters would eventually produce the complete works of shakespeare. > today, thanks to the internet, we know this is not true. > > spamtraps: madduck.bogus at madduck.net <javascript:;> >
also sprach Dan Kaminsky <dan at doxpara.com> [2014-12-22 14:47 +0100]:> Generally the way people manage mobility like this is to have > a client on the mobile device that updates the DNS entry, which > otherwise has a small TTL.You're probably right, this seems like the clean approach ? except of course we don't offer dynamic DNS (yet) and we also don't have a classic master-slave architecture, but multiple masters (nsd4) all with the same configuration managed in Git? Thanks, -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "... alle s?tze der logik sagen aber dasselbe. n?mlich nichts." -- wittgenstein spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141222/9f414f38/attachment.bin>
also sprach Nico Kadel-Garcia <nkadel at gmail.com> [2014-12-22 14:43 +0100]:> The problem, I think, isn't that you have an entry in all three. It's > that you have a *shortened* hostname that is identical in all 3 DNS > domains. If your DNS admins have gracefully set the local environments > to each be on their own subdomain, and that subdomain is *first* in > DHCP configured DNS, you should be golden.No, because the problem is that the short name always resolves to the IP the machine would have in the local network, and hence this is the IP that OpenSSH tries. However, if the machine is not in the local network, then I'd like OpenSSH to ask for the same hostname in the next CanonicalDomain and try it there. Does this make sense? -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ "politicians and diapers should be changed often, and for the same reason." -- mark twain spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141222/1cc80a5c/attachment.bin>
That's a good point. DHCP allows you to set DNS search parameters. So as long as each location sets different search, "ssh fishbowl" will in fact resolve to the proper local FQDN. On Monday, December 22, 2014, Nico Kadel-Garcia <nkadel at gmail.com> wrote:> On Mon, Dec 22, 2014 at 4:26 AM, martin f krafft <madduck at madduck.net > <javascript:;>> wrote: > > Hey folks, > > > > As most of everyone, I use OpenSSH for almost everything and > > whenever I can: backups, sync, Git, configuration management, and of > > course console sessions. So much for an intro ;) > > > > My laptop and I roam between three networks, though sometimes > > I leave the laptop at the office overnight, or hop over to the third > > site for an hour or two. > > > > I'd like to find a way to configure OpenSSH (or Linux in general) to > > try the other networks if the machine cannot be found locally. > > Unfortunately, DNS "search" in /etc/resolv.conf and > > CanonicalizeHostname in ssh_config both don't work since they only > > iterate the network DNS zones until a record is found, and my laptop > > has an entry in all three zones. > > The problem, I think, isn't that you have an entry in all three. It's > that you have a *shortened* hostname that is identical in all 3 DNS > domains. If your DNS admins have gracefully set the local environments > to each be on their own subdomain, and that subdomain is *first* in > DHCP configured DNS, you should be golden. > > laptop.internal.domain.com # when inside the building, > internaldomain.domain.com is first, then domain.com > laptop.vpn.domain.com # when VPN connected, vpn.domain.com is > first, then domain.com > laptop.machineroom.domain.com > > It's extra work in DNS and security policies to do this, especially if > you're using dynamic DNS through AD. If instead, your admins have set > up all these environments to share "domain.com", well, then you start > getting into DNS "views" for a small domain called "laptop.domain.com" > and different DNS "views" in each envirornment. Then you need quite > short DNS TTL's, and various other requirements to avoid servers in > the same domain having their DNS expire. > > Good luck with that: I deal with that kind of integration challenge a > *lot*. > > > Short of creating a single DNS entry and adding all possible IPs for > > my laptop, I am wondering if there's a way to configure OpenSSH > > (or Linux) to try multiple DNS names until a connection can be > > made. For extra bonus special points, this should obviously happen > > all at once to reduce wait times. > > I've seen nothing, but had to deal with peculiar setups when people > start trying to "simplify" their DNS into one master zone and not > realizing the consequences of multiple A records. Don't get me > *started* on people who use multiple CNAME's for the same primary > hostname, pointing to multiple other A records or CNAME's!!! And do > *not* get me going on how people think that having multiple A records > will automatically load balance their traffic. > > You might personally consider a wrapper, to process "nslookup" or > other DNS for your particular setup. But personally, I'd review the > concept of having identical hostnames in all environments. It can be > very helpful to deal with FQDN's and segregate your laptop's name in > the internal environment from its name in the external or other > environments. > > > Assuming that this isn't currently possible ? I did search and > > investigate ? would this be a worthwhile feature to look into? > > > > Thanks, > > > > -- > > @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ > > It sounds intriguing. The basic C library funcitons are > _______________________________________________ > openssh-unix-dev mailing list > openssh-unix-dev at mindrot.org <javascript:;> > https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev >
martin f krafft wrote:> My laptop and I roam between three networks, though sometimes > I leave the laptop at the office overnight, or hop over to the third > site for an hour or two. > > I'd like to find a way to configure OpenSSH (or Linux in general) to > try the other networks if the machine cannot be found locally.I am sure you have already thought of this and didn't prefer it but the way I handle this is by using OpenVPN. My mobile laptop always "calls back home" with OpenVPN. I always access the laptop using the VPN address no matter where it is located. When I ssh it means that the connection is encrypted both by OpenVPN and by SSH. But it is always over WiFi so the performance bottleneck is the WiFi and the double encryption is insignificant then. Having a stable VPN address for the mobile laptop no matter where it exists in the network is quite nice. Also this gives my laptop secure access to the private side of my network for all services not just ssh. The solution works well for me. Good luck! Bob -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: Digital signature URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141225/f31d3dce/attachment.bin>
Hi, On Thu, Dec 25, 2014 at 01:20:40AM -0700, Bob Proulx wrote:> When I ssh it means that the connection is encrypted both by OpenVPN > and by SSH. But it is always over WiFi so the performance bottleneck > is the WiFi and the double encryption is insignificant then.If all you ever do is SSH, and double ecryption bothers you, you could run openvpn with "--cipher none" (and still get HMAC, FWIW). Which, of course, is strictly non-recommended for the general use case :-) gert -- USENET is *not* the non-clickable part of WWW! //www.muc.de/~gert/ Gert Doering - Munich, Germany gert at greenie.muc.de fax: +49-89-35655025 gert at net.informatik.tu-muenchen.de
also sprach Bob Proulx <bob at proulx.com> [2014-12-25 09:20 +0100]:> I am sure you have already thought of this and didn't prefer it but > the way I handle this is by using OpenVPN. My mobile laptop always > "calls back home" with OpenVPN. I always access the laptop using the > VPN address no matter where it is located.If I were to do this, then while at the office, the laptop would "call home", meaning that transfer between my desktop and the laptop would not go directly over gigabit, but have to traverse ADSL twice on both ends, office?home?home?office.> Having a stable VPN address for the mobile laptop no matter where > it exists in the network is quite nice. Also this gives my laptop > secure access to the private side of my network for all services > not just ssh. The solution works well for me.My laptop an "call in" to the VPN any time, and if it does, then it'll be found. Cf. the ProxyCommand I just sent, subdomain rw.madduck.net. Thanks everyone for their help and ideas, and Luca Filipozzi for the fping hint. -- @martinkrafft | http://madduck.net/ | http://two.sentenc.es/ drink canada dry! you might not succeed, but it *is* fun trying. spamtraps: madduck.bogus at madduck.net -------------- next part -------------- A non-text attachment was scrubbed... Name: digital_signature_gpg.asc Type: application/pgp-signature Size: 1107 bytes Desc: Digital signature (see http://martin-krafft.net/gpg/sig-policy/999bbcc4/current) URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20141225/fb51d92b/attachment.bin>
On Thu, Dec 25, 2014 at 3:20 AM, Bob Proulx <bob at proulx.com> wrote:> martin f krafft wrote: >> My laptop and I roam between three networks, though sometimes >> I leave the laptop at the office overnight, or hop over to the third >> site for an hour or two. >> >> I'd like to find a way to configure OpenSSH (or Linux in general) to >> try the other networks if the machine cannot be found locally. > > I am sure you have already thought of this and didn't prefer it but > the way I handle this is by using OpenVPN. My mobile laptop always > "calls back home" with OpenVPN. I always access the laptop using the > VPN address no matter where it is located. > > When I ssh it means that the connection is encrypted both by OpenVPN > and by SSH. But it is always over WiFi so the performance bottleneck > is the WiFi and the double encryption is insignificant then. > > Having a stable VPN address for the mobile laptop no matter where it > exists in the network is quite nice. Also this gives my laptop secure > access to the private side of my network for all services not just > ssh. The solution works well for me. > > Good luck! > BobOh, for pete's sake: just use the FQDN, including the "laptop.int.domain.com" when the laptop is inside the internal network, "laptop.ext.domain.com", when it's external, etc., Stop trying to use the unqualified hostname: extending with search domains to get and discover all the potential names and try then is really *not* how DNS was written. This is underlying DNS behavior in "gethostbyname" or "getaddrinfo" C library functions, not really SSH behavior.