> Say I had: > > Host foo > Hostname 192.168.2.2 192.168.2.3 > > Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the > rest of the time?I find the man page unambiguous: HostName specifies the singular real host name to log into.? Alternatively, a singular IP address is permitted. I can see how "Numeric IP addresses are also permitted" could be construed as meaning multiple addresses on the one line, but, that's an incorrect reading.? It really means, IP addresses can be used in HostName entries. All of this fails to help the original question, which is how to specify multiple IP addresses.? The obvious answer to that is to put multiple A records into your local DNS.? If you don't have a local DNS or have no control over it, specify multiple Hosts in your config, one for each IP address.
David Newall wrote:> All of this fails to help the original question, which is how to specify > multiple IP addresses. The obvious answer to that is to put multiple A > records into your local DNS. If you don't have a local DNS or have no > control over it, specify multiple Hosts in your config, one for each IP > address.Just some brainstorming here... It should always be possible to populate the local /etc/hosts file as an override to DNS with a local unique name. And then use that local name in the config file. Example /etc/hosts: 93.184.216.34 foo.example.com foo 2606:2800:220:1:248:1893:25c8:1946 foo.example.com foo Example ssh config: Host shortname realname.example.com HostKeyAlias realname.example.com Hostname foo Use like: ssh shortname ssh realname.example.com I tested this just now and on a host with IPv6 connectivity it used the IPv6 address. The same configuration on a host with only IPv4 connectivity used the IPv4 address. It's perhaps not the simplest of configurations but it did seem to fit the criteria. The way to get both an IPv4 and an IPv6 address available to Hostname. By stitching it through the /etc/hosts file. WDYT? Bob
>I find the man page unambiguous: HostName specifies the singular real >host name to log into.? Alternatively, a singular IP address is >permitted. > >I can see how "Numeric IP addresses are also permitted" could be >construed as meaning multiple addresses on the one line, but, that's >an incorrect reading.? It really means, IP addresses can be used in >HostName entries. > >All of this fails to help the original question, which is how to >specify multiple IP addresses.? The obvious answer to that is to put >multiple A records into your local DNS.? If you don't have a local DNS >or have no control over it, specify multiple Hosts in your config, one >for each IP address.Oh, I 100% agree. I was more trying to work through what the intent in the OP could even be. It seemed to me that the proposal hadn't been carefully thought through. In hindsight, I guess the logic could be interpreted as "try each address assigned to the Hostname in order until one succeeds". But as you say, this would conventionally be handled just by having a separate Host per Hostname, eg Host foo.ipv4 Hostname 192.168.0.1 Host foo.ipv6 Hostname fc00::1 I already don't like the way the client just goes through the possible private keys one at a time until the connection succeeds. IMO IdentitiesOnly should default to "yes" instead of "no". That is, I think there should be a principle of "minimise client guessing games". So, even if multiple entries makes sense for Hostname, I would still be inclined to disagree with any proposal to add this feature.
On Tue, 15 Dec 2020 at 10:39, David Newall <openssh at davidnewall.com> wrote:> > Say I had: > > > > Host foo > > Hostname 192.168.2.2 192.168.2.3 > > > > Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the > > rest of the time? >When DNS returns multiple entries, ssh will try to connect to each in the order that the system returns them. For each entry, it'll try to connect for ConnectTimeout seconds and if it doesn't work, it'll move onto the next. It'll use the first one that works. I did a patch[0] a while back that would race nonblocking connections and use the first one that connects, but that would have a disadvantage of spamming logs with "connection closed" messages from the unused connections in the general case, and was easy enough to implement in a ProxyCommand for the cases that need it. Maybe we could extend Host to accept (comma-separated?) lists, but then the question would be what would the behaviour be in the case when each entry is itself a hostname that might resolve to multiple addresses? I find the man page unambiguous: HostName specifies the singular real> host name to log into. Alternatively, a singular IP address is permitted. > > I can see how "Numeric IP addresses are also permitted" could be > construed as meaning multiple addresses on the one line, but, that's an > incorrect reading. It really means, IP addresses can be used in > HostName entries. > > All of this fails to help the original question, which is how to specify > multiple IP addresses. The obvious answer to that is to put multiple A > records into your local DNS. If you don't have a local DNS or have no > control over it, specify multiple Hosts in your config, one for each IP > address. >As someone else mentioned, you can put multiple entries into /etc/hosts, which will have the behaviour described above. [0] https://marc.info/?l=openssh-unix-dev&m=148421494521398&w=2 -- Darren Tucker (dtucker at dtucker.net) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.