I have the following set up in my ~/.ssh/config


match host devbox
compression yes
user hari
port 22
hostname 192.168.9.7

match originalhost devbox exec "~/.ssh/check_if_outside_home.sh"
hostname devbox.harisund.com


The idea is this -

) Always connect to 192.168.8.15 (this will work if I am already at the home network)
) Connect instead to devbox.harisund.com , if I am not within the home LAN

However, with verbose logging, I see this -


1 OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
2 debug1: Reading configuration data /home/hsundararaja/.ssh/config
3 debug2: checking match for 'host devbox' host devbox originally devbox
4 debug3: /home/hsundararaja/.ssh/config line 734: matched 'host "devbox"'
5 debug2: match found
6 debug2: checking match for 'originalhost devbox exec "~/.ssh/check_if_outside_home.sh"' host 192.168.9.7 originally devbox
7 debug3: /home/hsundararaja/.ssh/config line 744: matched 'originalhost "devbox"'
8 debug1: Executing command: '~/.ssh/check_if_outside_home.sh'
9 debug1: permanently_drop_suid: 14741
10 debug3: command returned status 0
11 debug3: /home/hsundararaja/.ssh/config line 744: matched 'exec "~/.ssh/check_if_outside_home.sh"'
12 debug2: match found
13 debug1: /home/hsundararaja/.ssh/config line 839: Applying options for *
14 debug1: Reading configuration data /etc/ssh/ssh_config
15 debug1: /etc/ssh/ssh_config line 19: Applying options for *
16 debug2: resolving "192.168.9.7" port 22
17 debug2: ssh_connect_direct: needpriv 0
18 debug1: Connecting to 192.168.9.7 [192.168.9.7] port 22.
19 debug2: fd 3 setting O_NONBLOCK
20 debug1: connect to address 192.168.9.7 port 22: Connection timed out
21 ssh: connect to host 192.168.9.7 port 22: Connection timed out


In line 4, it detects the first stanza in ~/.ssh/config. At this point, hostname gets changed to 192.168.9.7. All good so far.

In line 7, it reaches the second stanza.
In line 8, it checks if we are outside home, and it returns 0. As expected. Line 12 says it's a match, which means we should change our hostname to devbox.harisund.com
However, in line 16, we see it is still using the local hostname as it was set.


Why ? Is this expected behavior?

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

I have functional DNS at home, so I /always/ connect to the host name, wherever I am. Outside, away from home, the hostname resolves via
global DNS to my home's external IP. Inside, the name resolves to the internal IP.

That is fine, but the problem is I work from home. My laptop at home connects to my employer's VPN, and DNS is subsequently routed through my employer's VPN.

I do have split DNS setup so devbox.harisund.com resolves differently when inside and outside my LAN. However, when on my employer's VPN, devbox.harisund.com resolves to _my external_ location, which is fine, but I want to use my _internal_ address.

I've seen, much less used, the "match" directives like this.

Odd, I saw a lot of stackoverflow/unix stackoverflow questions where match was shown to be used this way with the _exec_ parameter.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/09/2018 02:03 AM, hari.sundararajan@gmail.com wrote:

I have the following set up in my ~/.ssh/config

match host devbox
compression yes
user hari
port 22
hostname 192.168.9.7

match originalhost devbox exec "~/.ssh/check_if_outside_home.sh"
hostname devbox.harisund.com

I've seen, much less used, the "match" directives like this.

The idea is this -

) Always connect to 192.168.8.15 (this will work if I am already at the home network)
) Connect instead to devbox.harisund.com , if I am not within the home LAN

I have functional DNS at home, so I /always/ connect to the host name,
wherever I am. Outside, away from home, the hostname resolves via
global DNS to my home's external IP. Inside, the name resolves to the
internal IP.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

The logic behind this is to set defaults for the host (what you're

telling ssh to connect to) and then to re-set the hostname (the IP / DNS
name the ssh client connects to) if nc is unable to establish a connection.

That doesn't work. Once the hostname is set, SSH doesn't allow for a reset of the hostname.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/09/2018 03:08 PM, hari.sundararajan@gmail.com wrote:

That is fine, but the problem is I work from home. My laptop at home
connects to my employer's VPN, and DNS is subsequently routed through
my employer's VPN.

Ah. That complicates things.

I've used a couple of different methods in the past, 1) (frequently) ProxyCommand (scripts) that manage the connection on the ssh client's
behalf, 2) (rarely) match directive in the ssh client config.

I do have split DNS setup so devbox.harisund.com resolves differently
when inside and outside my LAN. However, when on my employer's VPN, devbox.harisund.com resolves to _my external_ location, which is fine,
but I want to use my _internal_ address.

In light of that, I'd put together something like the following.

host devbox
compression yes
user hari
port 22
hostname 192.168.9.7

host devbox
march !exec "/usr/bin/nc -zw 3 %h %p 2> /dev/null"
hostname devbox.harisund.com

The logic behind this is to set defaults for the host (what you're
telling ssh to connect to) and then to re-set the hostname (the IP / DNS
name the ssh client connects to) if nc is unable to establish a connection.

In other words, connect to 192.168.9.7 by default, and then connect to devbox.harisund.com.

Note: This is a slight adaptation of what I was doing. I was using a ProxyCommand (with wrapper script) instead of redefining the HostName in
the event that nc failed to connect.

Odd, I saw a lot of stackoverflow/unix stackoverflow questions where
match was shown to be used this way with the _exec_ parameter.

I've most often used the match directive in the ssh server config and
rarely in the ssh client config.

I've also not seen match used with the "host" directive. But the ssh
config files I've used have been significantly different and extremely
complex for technical and / or political reasons.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/09/2018 04:42 PM, hari.sundararajan@gmail.com wrote:

That doesn't work. Once the hostname is set, SSH doesn't allow for a
reset of the hostname.

Then you're likely going to need to use the ProxyCommand wrapper script
method I used.

Host *.example.net
PasswordAuthentication no
#ProxyCommand ssh-wrapper-script %h %p
StrictHostKeyChecking no
UserKnownHostsFile /dev/null
User root
Host *.example.net
# Use the following ProxyCommand if we can't connect directly.
Match canonical !exec "/usr/bin/nc -zw 3 %h %p 2> /dev/null"
ProxyCommand ssh-wrapper-script %h %p

This is the config that I was using to do something quite similar to
what I think you're wanting to do. - I tried to modify it on the fly
to what (I think) you're doing in my last reply.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

hari.sundararajan@gmail.com wrote:

I have the following set up in my ~/.ssh/config

match host devbox
compression yes
user hari
port 22
hostname 192.168.9.7

match originalhost devbox exec "~/.ssh/check_if_outside_home.sh"
hostname devbox.harisund.com

The idea is this -

) Always connect to 192.168.8.15 (this will work if I am already at the home network)
) Connect instead to devbox.harisund.com , if I am not within the home LAN

What I have in .ssh/config is the following:-

#
#
# esprimo may be remote or local
#
Match host esprimo exec "hostNotLocal esprimo"
ForwardX11 true
ProxyCommand ssh cheddar nc -q0 zbmc.eu 22

host esprimo
ForwardX11 true

When away from home "hostNotLocal esprimo" returns 'true' so the
ProxyCommand is executed to connect, it could of course be just a
simple 'ssh <your outside name>' for you, I have mine locked down so
that I have to go via the intermediate host.

At home "hostNotLocal esprimo" is false and it just connects direct.

"hostNotLocal esprimo" is trivial:-

! ping -w 1 -c 1 $1 >>/dev/null 2>&1

--
Chris Green
·

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Grant Taylor <gtaylor@tnetconsulting.net> wrote:

I have functional DNS at home, so I /always/ connect to the host name, >wherever I am. Outside, away from home, the hostname resolves via
global DNS to my home's external IP. Inside, the name resolves to the >internal IP.

Split DNS is nearly never part of the solution, it's usually part of
the problem.

Grüße
Marc
--
-------------------------------------- !! No courtesy copies, please !! ----- Marc Haber | " Questions are the | Mailadresse im Header Mannheim, Germany | Beginning of Wisdom " |
Nordisch by Nature | Lt. Worf, TNG "Rightful Heir" | Fon: *49 621 72739834

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/10/2018 04:08 AM, Marc Haber wrote:

Split DNS is nearly never part of the solution, it's usually part of
the problem.

Improperly implemented split DNS…

Sure, I'll agree about improper implementations.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

Then you're likely going to need to use the ProxyCommand wrapper script method I used.

Yes, a variant of that is what I ended up using.

I have mine locked down so that I have to go via the intermediate host.

Yeah, more or less the same situation here. I go through my intermediate host when "outside", so I have a similar setup.

Split DNS is nearly never part of the solution, it's usually part of

the problem.

No. Why do people post such messages anyway? Just because split DNS doesn't work for you or you haven't configured it properly, it doesn't imply it is never part of the solution.

For what it is worth, I posted the same question here https://unix.stackexchange.com/questions/474168/changing-hostname-more-than-once-via-ssh-config/474192#474192 and the answer there explains what I was looking for.

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)

On 10/10/2018 01:45 PM, hari.sundararajan@gmail.com wrote:

Yeah, more or less the same situation here. I go through my intermediate
host when "outside", so I have a similar setup.

*nod*

It's nice when ssh can just take care of that so that I don't have to
think about it.

No. Why do people post such messages anyway?

¯\_(ツ)_/¯

Just because split DNS doesn't work for you or you haven't configured
it properly, it doesn't imply it is never part of the solution.

Agreed.

For what it is worth, I posted the same question here https://unix.stackexchange.com/questions/474168/changing-hostname-more-than-once-via-ssh-config/474192#474192
and the answer there explains what I was looking for.

*nod*

I do have a problem with part of the answer provided there.

"""
For each parameter, the first obtained value will be used.

Since the first obtained value for each parameter is used, more
host-specific declarations should be given near the beginning of the
file, and general defaults at the end.
"""

I just had an example where ControlPersist /was/ being overwritten by a subsequent less specific host match. I.e. specific (including canonicalization) set ControlPersist to 3600. However a subsequent
"Host *" was re-setting ControlPersist to 300. :-/ So this doesn't
look to /always/ be accurate.



--
Grant. . . .
unix || die

--- SoupGate-Win32 v1.05
* Origin: fsxNet Usenet Gateway (21:1/5)