ssh_config: Hostname with multiple IP addresses

[Harald Dunkel]

Hi folks,

ssh_config(5) explicitly allows numeric IP addresses (plural) on the
Hostname config line in .ssh/config, but it doesn't tell the syntax.
Neither

Hostname 10.0.0.1 2001:db8::1
nor
Hostname 10.0.0.1,2001:db8::1
nor
Hostname 2001:db8::1
Hostname 10.0.0.1

seem to work.

How is this supposed to be written? Would you mind to improve the man
page?


Thanx in advance
Harri
_______________________________________________
openssh-unix-dev mailing list
openssh-...@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Brian Candler]

On 11/12/2020 08:42, Harald Dunkel wrote:
> ssh_config(5) explicitly allows numeric IP addresses (plural) on the
> Hostname config line in .ssh/config,

Can you point to where it says that explicitly? I see in ssh_config(5):

     HostName
             Specifies the real host name to log into.

Note that "real host name" is in the singular.

It then does make use of the plural:

     This can be used to specify nicknames or abbreviations for hosts

but I read that as meaning that you can configure multiple hosts, each
with its own HostName, e.g.

Host foo
HostName 192.0.2.1

Host bar
HostName 192.0.2.2

Similarly:

     Arguments to HostName accept the tokens described in the TOKENS
section.  Numeric IP addresses are also permitted

To me this is talking about multiple HostName entries in the same
ssh_config file, each belonging to a different Host, rather than one
HostName allowing multiple IP addresses. However I guess it could be
read either way.

[Harald Dunkel]

On 12/11/20 10:28 AM, Brian Candler wrote:
> On 11/12/2020 08:42, Harald Dunkel wrote:
>> ssh_config(5) explicitly allows numeric IP addresses (plural) on the
>> Hostname config line in .ssh/config,
>
> Can you point to where it says that explicitly? I see in ssh_config(5):
>
>      HostName
>              Specifies the real host name to log into.
>

It says
Hostname
Specifies the real host name to log into. This can be used to
specify nicknames or abbreviations for hosts. *Arguments to
Hostname* accept the tokens described in the TOKENS section. Nu-
meric *IP addresses* are also permitted (both on the command line
and in Hostname specifications). The default is the name given
on the command line.

Of course I understand that this is ambiguous. I don't expect any miracles
here.

Having both IPv4 and IPv6 address defined for a specific Host would be
reasonable, though.

Regards
Harri

[asymptosis]

>Having both IPv4 and IPv6 address defined for a specific Host would be

How would your client know which one to go to?

Say I had:

Host foo
Hostname 192.168.2.2 192.168.2.3

Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the rest of the time?

Even if we accept that the wording is ambiguous, it is easily disambiguated by thinking about the logic involved.

Whereas, if we accept the logic that Hostname can take multiple arguments, then you might as well have:

Host foo
Hostname *

And thereby try to log into all servers in the world simultaneously O_o

[Harald Dunkel]

On 12/12/20 3:50 AM, asymptosis wrote:
>> Having both IPv4 and IPv6 address defined for a specific Host would be
>
> How would your client know which one to go to?
>
> Say I had:
>
> Host foo
> Hostname 192.168.2.2 192.168.2.3
>
> Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the rest of the time?
>

Actually this is about providing an IPv4 and IPv6 address in parallel,
but its not uncommon to have several IP addresses in the same AF bound
to the same host name in DNS.

In this case it might be reasonable to look at the subnets of the local
network interfaces. If the ssh config file on your laptop says (for example)

Host foo
Hostname 192.168.1.2 10.10.0.4

and your host has a local IP address 10.10.0.5/24, its pretty obvious
which IP address ssh should connect to.

Of course I understand that this code is not in. Its just an example
to show that having multiple IP addresses on the Hostname line (or a
hostname mapping to multiple IP addresses) is not unreasonable.


Regards
Harri

[David Newall]

> Say I had:
>
> Host foo
> Hostname 192.168.2.2 192.168.2.3
>
> Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the
> rest of the time?

I find the man page unambiguous: HostName specifies the singular real
host name to log into.  Alternatively, a singular IP address is permitted.

I can see how "Numeric IP addresses are also permitted" could be
construed as meaning multiple addresses on the one line, but, that's an
incorrect reading.  It really means, IP addresses can be used in
HostName entries.

All of this fails to help the original question, which is how to specify
multiple IP addresses.  The obvious answer to that is to put multiple A
records into your local DNS.  If you don't have a local DNS or have no
control over it, specify multiple Hosts in your config, one for each IP
address.

[Bob Proulx]

David Newall wrote:
> All of this fails to help the original question, which is how to specify
> multiple IP addresses. The obvious answer to that is to put multiple A
> records into your local DNS. If you don't have a local DNS or have no
> control over it, specify multiple Hosts in your config, one for each IP
> address.

Just some brainstorming here...

It should always be possible to populate the local /etc/hosts file as
an override to DNS with a local unique name. And then use that local
name in the config file.

Example /etc/hosts:

93.184.216.34 foo.example.com foo
2606:2800:220:1:248:1893:25c8:1946 foo.example.com foo

Example ssh config:

Host shortname realname.example.com
HostKeyAlias realname.example.com
Hostname foo

Use like:

ssh shortname
ssh realname.example.com

I tested this just now and on a host with IPv6 connectivity it used
the IPv6 address. The same configuration on a host with only IPv4
connectivity used the IPv4 address.

It's perhaps not the simplest of configurations but it did seem to fit
the criteria. The way to get both an IPv4 and an IPv6 address
available to Hostname. By stitching it through the /etc/hosts file.
WDYT?

Bob

[asymptosis]

>I find the man page unambiguous: HostName specifies the singular real
>host name to log into.  Alternatively, a singular IP address is
>permitted.
>
>I can see how "Numeric IP addresses are also permitted" could be
>construed as meaning multiple addresses on the one line, but, that's
>an incorrect reading.  It really means, IP addresses can be used in
>HostName entries.
>
>All of this fails to help the original question, which is how to
>specify multiple IP addresses.  The obvious answer to that is to put
>multiple A records into your local DNS.  If you don't have a local DNS
>or have no control over it, specify multiple Hosts in your config, one
>for each IP address.

Oh, I 100% agree. I was more trying to work through what the intent in the OP could even be. It seemed to me that the proposal hadn't been carefully thought through.

In hindsight, I guess the logic could be interpreted as "try each address assigned to the Hostname in order until one succeeds".

But as you say, this would conventionally be handled just by having a separate Host per Hostname, eg

Host foo.ipv4
Hostname 192.168.0.1

Host foo.ipv6
Hostname fc00::1

I already don't like the way the client just goes through the possible private keys one at a time until the connection succeeds. IMO IdentitiesOnly should default to "yes" instead of "no".

That is, I think there should be a principle of "minimise client guessing games". So, even if multiple entries makes sense for Hostname, I would still be inclined to disagree with any proposal to add this feature.

[Darren Tucker]

On Tue, 15 Dec 2020 at 10:39, David Newall <ope...@davidnewall.com> wrote:

> > Say I had:
> >
> > Host foo
> > Hostname 192.168.2.2 192.168.2.3
> >
> > Do I end up at 192.168.2.2 randomly half the time, and 192.168.2.3 the
> > rest of the time?
>

When DNS returns multiple entries, ssh will try to connect to each in the
order that the system returns them. For each entry, it'll try to connect
for ConnectTimeout seconds and if it doesn't work, it'll move onto the
next. It'll use the first one that works.

I did a patch[0] a while back that would race nonblocking connections and
use the first one that connects, but that would have a disadvantage of
spamming logs with "connection closed" messages from the unused connections
in the general case, and was easy enough to implement in a ProxyCommand for
the cases that need it.

Maybe we could extend Host to accept (comma-separated?) lists, but then the
question would be what would the behaviour be in the case when each entry
is itself a hostname that might resolve to multiple addresses?

I find the man page unambiguous: HostName specifies the singular real
> host name to log into. Alternatively, a singular IP address is permitted.
>
> I can see how "Numeric IP addresses are also permitted" could be
> construed as meaning multiple addresses on the one line, but, that's an
> incorrect reading. It really means, IP addresses can be used in
> HostName entries.
>
> All of this fails to help the original question, which is how to specify
> multiple IP addresses. The obvious answer to that is to put multiple A
> records into your local DNS. If you don't have a local DNS or have no
> control over it, specify multiple Hosts in your config, one for each IP
> address.
>

As someone else mentioned, you can put multiple entries into /etc/hosts,
which will have the behaviour described above.

[0] https://marc.info/?l=openssh-unix-dev&m=148421494521398&w=2

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.

[Harald Dunkel]

On 12/15/20 1:09 AM, asymptosis wrote:
>
> But as you say, this would conventionally be handled just by having a separate Host per Hostname, eg
>
> Host foo.ipv4
> Hostname 192.168.0.1
>
> Host foo.ipv6
> Hostname fc00::1
>

It would be more intuitive to use

Host foo
Hostname 192.168.0.1,fc00::1
# many
# more
# options

in .ssh/config and (for example)

ssh -6 foo ...

if you want to select the AF at all. That would be consistent to

Host foo
Hostname foo.example.com
# many
# more
# options

for relying on a naming service. BTW, changing /etc/hosts, LDAP,
external DNS or whatever might not be an option due to to local
restrictions.

>
> That is, I think there should be a principle of "minimise client guessing games". So, even if multiple entries makes sense for Hostname, I would still be inclined to disagree with any proposal to add this feature.

I disagree. ssh handles DNS returning several A and AAAA records
quite well. Having multiple IP address entries in the Hostname line
would be the same "guessing game".

IPv6 should no longer be ignored or considered as "not important for
us". Dual stack is state of the art today.


Regards
Harri

[David Newall]

> changing /etc/hosts, LDAP,
> external DNS or whatever might not be an option due to to local
> restrictions.
>
>>
>> That is, I think there should be a principle of "minimise client
>> guessing games". So, even if multiple entries makes sense for
>> Hostname, I would still be inclined to disagree with any proposal to
>> add this feature.
>
> I disagree. ssh handles DNS returning several A and AAAA records
> quite well. Having multiple IP address entries in the Hostname line
> would be the same "guessing game".
>
> IPv6 should no longer be ignored or considered as "not important for
> us". Dual stack is state of the art today.

Demonstrating that no good deed goes unpunished, this is what happens
when you allow abuse of Hostname, which is for the singular, official
*name*, with an IP address: people start expecting that it should also
handle multiple IP addresses.

This feels like a discussion about multiple addresses for private hosts
with non-public IP addresses on a local network.  You can just pick one!