assh icon indicating copy to clipboard operation
assh copied to clipboard

Published 20 hours ago verified publisher icon moul

Use ResolveCommand hostname when creating ssh config

Open herver opened this issue 7 years ago • 4 comments

Hello,

I'm trying to use assh in combination with kerberos authentication, and there is a small issue, here's my configuration:

hosts:
  "osd.[0-9]*.ceph1":
    ResolveCommand: /bin/sh -c "ceph --cluster ceph1 osd find $(echo %h | sed -E 's/osd.([0-9]+).ceph1/\1/') | jq -r .crush_location.host"

The ResolveCommand returns the correct hostname, but when ssh is connecting to the machine, it mentions the hostname I type on the command line, and not the resolved one. This prevents SSH from using Kerberos authentication because the hostname provided by ASSH doesn't match any entry on the Kerberos database.

[...]
debug1: Host 'osd.12.ceph1' is known and matches the ECDSA host key.
[...]
debug1: Next authentication method: gssapi-with-mic
debug1: Unspecified GSS failure.  Minor code may provide more information
Server not found in Kerberos database

herver avatar Apr 26 '17 15:04 herver

Hi @herver, thank you for your feedback

Can you confirm me that the expected behavior is that assh generates the result of the ResolveCommand as Hostname in the generated .ssh/config host?

Example:

hosts:
  "osd.[0-9]*.ceph1":
    ResolveCommand: /bin/sh -c "ceph --cluster ceph1 osd find $(echo %h | sed -E 's/osd.([0-9]+).ceph1/\1/') | jq -r .crush_location.host"

Host osd.42.ceph1
  Hostname: 1.2.3.4 (result of the ResolveCommand)

Host osd.1337.ceph1
  Hostname: 5.6.7.8 (result of the ResolveCommand)

moul avatar May 29 '17 19:05 moul

Hi @moul,

This is exactly what I would expect,

  • Today it generates the following:
INFO[0000] Host osd.12.ceph1                           
INFO[0000]   Port 22                                    
INFO[0000]   # HostName: osd.12.ceph1                  
INFO[0000]   # KnownHostOf: osd.12.ceph1               
INFO[0000]   # ResolveCommand: /bin/sh -c "ceph --cluster ceph1 osd find $(echo %h | sed -E 's/osd.([0-9]+).ceph1/\1/') | jq -r .crush_location.host"
  • I would expect
[...]            
INFO[0000]   # HostName: 1.2.3.4           
[...]

herver avatar May 30 '17 06:05 herver

I suspect Kerberos authentication to look for an uncommented HostName, but due to a limitation in the way ssh works, I need to comment HostName in the generated .ssh/config file (https://github.com/moul/advanced-ssh-config/pull/116)

Before trying to run the ResolveCommand when creating the ssh config file, can you just confirm me that it will fix your problem; can you try to update the generated .ssh/config file and replace the value of # HostName (keep it commented)?

I will try to setup a Kerberos test environment to give a try by myself

moul avatar May 30 '17 08:05 moul

I tried with both HostName commented and uncommented.

As you feared, it requires the HostName to be uncommented to work, otherwise it asks for a principal called Name which doesn't exist in the Kerberos realm...

herver avatar May 30 '17 12:05 herver