How to change ssh destination depending on connected LAN?
As I move around from home to various other places different systems that I connect to from my laptop become 'local'. Being a lazy person I really don't want to type in long complicated ssh commands when I'm connecting remotely. Thus I have in the ~/.ssh/config file the following:- Host cheddar HostName cheddar.halon.org.uk Host halon HostName cheddar.halon.org.uk Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22 Host odin ProxyCommand ssh cheddar nc -q0 localhost 51234 This means I can simply type 'ssh chris' or 'ssh odin' and ssh with the above config file does all the hard work for me. However it means that when I'm at home for example (where 'chris' is my desktop on the LAN) if I type 'ssh chris' I get connected to my desktop machine via the internet which is rather ridiculous. Can anyone come up with an easy way to change how 'ssh chris' acts according to whether I'm on the LAN where 'chris' is or not. Similarly I want the same to happen when I'm on the LAN where 'odin' is (which is not the same LAN). -- Chris Green
On 20 Sep 2014 13:20, "Chris Green" <cl@isbd.net> wrote:
Can anyone come up with an easy way to change how 'ssh chris' acts according to whether I'm on the LAN where 'chris' is or not. Similarly I want the same to happen when I'm on the LAN where 'odin' is (which is not the same LAN).
What provides your DNS when you're at the different locations? Simply make sure that whatever it is dishes out the local addresses. When you're away from that location the world visible DNS will give the external IP, when you're at the location the local DNS will override the world visible alternatives. Mark
On Sat, Sep 20, 2014 at 06:56:46PM +0100, Mark Rogers wrote:
On 20 Sep 2014 13:20, "Chris Green" <[1]cl@isbd.net> wrote:
Can anyone come up with an easy way to change how 'ssh chris' acts according to whether I'm on the LAN where 'chris' is or not. Similarly I want the same to happen when I'm on the LAN where 'odin' is (which is not the same LAN).
What provides your DNS when you're at the different locations?
dnsmasq on the LAN, whoever I'm connected to's DNS when elsewhere.
Simply make sure that whatever it is dishes out the local addresses. When you're away from that location the world visible DNS will give the external IP, when you're at the location the local DNS will override the world visible alternatives.
As I have pointed out in a previous reply this doesn't work because of the ProxyAddress stuff I have in my ~/.ssh/config file. I need some way to switch the ProxyCommand off when I'm on the LAN. -- Chris Green
On 20/09/14 13:19, Chris Green wrote:
As I move around from home to various other places different systems that I connect to from my laptop become 'local'. Being a lazy person I really don't want to type in long complicated ssh commands when I'm connecting remotely. Thus I have in the ~/.ssh/config file the following:-
Host cheddar HostName cheddar.halon.org.uk
Host halon HostName cheddar.halon.org.uk
Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
Host odin ProxyCommand ssh cheddar nc -q0 localhost 51234
This means I can simply type 'ssh chris' or 'ssh odin' and ssh with the above config file does all the hard work for me.
However it means that when I'm at home for example (where 'chris' is my desktop on the LAN) if I type 'ssh chris' I get connected to my desktop machine via the internet which is rather ridiculous.
Can anyone come up with an easy way to change how 'ssh chris' acts according to whether I'm on the LAN where 'chris' is or not. Similarly I want the same to happen when I'm on the LAN where 'odin' is (which is not the same LAN).
To me the answer to so many recent questions seems to be "Use dnsmasq"! I have a laptop and a server. The server runs dnsmasq which does dns for my network. The server has a hosts file which is fairly normal but also has an entry like 192.168.1.100 MyServer.ItsPublicInternetAddress.Example If my laptop is on my network and getting addresses from dnsmasq, then ssh MyServer.ItsPublicInternetAddress.Example is equivalent to ssh 192.168.1.100 If my laptop is not on the network, and it's getting names from an ISP's dns server then ssh MyServer.ItsPublicInternetAddress.Example resolves to the true internet name of the server, and it will be accessed via the internet. HTH Steve
On Sun, Sep 21, 2014 at 11:25:23PM +0100, steve-ALUG@hst.me.uk wrote:
On 20/09/14 13:19, Chris Green wrote:
As I move around from home to various other places different systems that I connect to from my laptop become 'local'. Being a lazy person I really don't want to type in long complicated ssh commands when I'm connecting remotely. Thus I have in the ~/.ssh/config file the following:-
Host cheddar HostName cheddar.halon.org.uk
Host halon HostName cheddar.halon.org.uk
Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
Host odin ProxyCommand ssh cheddar nc -q0 localhost 51234
This means I can simply type 'ssh chris' or 'ssh odin' and ssh with the above config file does all the hard work for me.
However it means that when I'm at home for example (where 'chris' is my desktop on the LAN) if I type 'ssh chris' I get connected to my desktop machine via the internet which is rather ridiculous.
Can anyone come up with an easy way to change how 'ssh chris' acts according to whether I'm on the LAN where 'chris' is or not. Similarly I want the same to happen when I'm on the LAN where 'odin' is (which is not the same LAN).
To me the answer to so many recent questions seems to be "Use dnsmasq"!
I have a laptop and a server. The server runs dnsmasq which does dns for my network. The server has a hosts file which is fairly normal but also has an entry like
192.168.1.100 MyServer.ItsPublicInternetAddress.Example
If my laptop is on my network and getting addresses from dnsmasq, then
ssh MyServer.ItsPublicInternetAddress.Example
is equivalent to
ssh 192.168.1.100
If my laptop is not on the network, and it's getting names from an ISP's dns server then
ssh MyServer.ItsPublicInternetAddress.Example
I certainly don't want to type out 'ssh chris.complete.server.name' every time I ssh, the whole point of my ~/.ssh/config file above is that I can just type 'ssh chris' to connect. If I wasn't using ProxyCommand I think your solution would work, I could have:- Host chris Hostname chris.zbmc.eu ... and 'ssh chris' would work correctly from the LAN or outside. However what I already have in my ~/.ssh/config file is:- Host cheddar HostName cheddar.halon.org.uk Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22 So, unfortunately, what you are suggesting won't work in this particular case. What I need is a way to get the ProxyCommand when I'm out and about but switch it off completely when I'm on the LAN. -- Chris Green
On Mon, 22 Sep 2014 08:52:26 +0100 Chris Green <cl@isbd.net> allegedly wrote:
On Sun, Sep 21, 2014 at 11:25:23PM +0100, steve-ALUG@hst.me.uk wrote:
On 20/09/14 13:19, Chris Green wrote:
As I move around from home to various other places different systems that I connect to from my laptop become 'local'. Being a lazy person I really don't want to type in long complicated ssh commands when I'm connecting remotely. Thus I have in the ~/.ssh/config file the following:-
Sigh. Chris Why do you keep asking variants of the same question? Lots of different people have taken the time and effort to answer those questions for you at various times in the past, yet you ignore the answers and come back with yet another variant of the "how do I do this when connecting to/from my boat"? Think back to what Keith asked you back in 2012: "Here's some thoughts, and a question for you. The thoughts: You ask for some advice, receive a number of responses, and you decide to do something different (that you can't get to work). Then you find a really complex solution, which is less secure than some of the suggestions you received. I feel that those who responded have wasted their time and expertise trying to help you. The question: why would anyone on this list try to help you next time?" I agree with Keith. Sorry, but I now consign most of your emails straight to /dev/null. Mick --------------------------------------------------------------------- Mick Morgan gpg fingerprint: FC23 3338 F664 5E66 876B 72C0 0A1F E60B 5BAD D312 http://baldric.net ---------------------------------------------------------------------
On 22/09/14 08:52, Chris Green wrote: [SNIP]
On Sun, Sep 21, 2014 at 11:25:23PM +0100, steve-ALUG@hst.me.uk wrote:
[SNIP]
If I wasn't using ProxyCommand I think your solution would work, I
[SNIP] I don't really see why you think that ProxyCommand affects this, but IMO the solution for your original question is dnsmasq. I use it here on my firewall for the DMZ. My DMZ contains internet-facing machines, which all have 10.* addresses in a local subnet, and traffic is forwarded to them via the firewall as appropriate. If I want to access myserver.mydomain.com from my desktop, "normal" DNS would give me the external IP address, which I don't want. dnsmasq intercepts that DNS lookup and provides the LAN address instead. That seems to be what you want to do. Cheers, Laurie. -- --------------------------------------------------------------------- Laurie Brown laurie@brownowl.com ---------------------------------------------------------------------
On Mon, Sep 22, 2014 at 11:19:53AM +0100, Laurie Brown wrote:
On 22/09/14 08:52, Chris Green wrote:
[SNIP]
On Sun, Sep 21, 2014 at 11:25:23PM +0100, steve-ALUG@hst.me.uk wrote:
[SNIP]
If I wasn't using ProxyCommand I think your solution would work, I
[SNIP]
I don't really see why you think that ProxyCommand affects this, but IMO the solution for your original question is dnsmasq.
Because if I do 'ssh chris' when I'm on the LAN it finds the ProxyCommand as follows:- Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22 ... and will connect out from the LAN to cheddar on the internet and then back again to my desktop machuine. I *do* have dnsmasq at home on the LAN. The whole point of the ~/.ssh/config file I have is that when I'm not at home I can just enter 'ssh chris' and I will be automatically connected via cheddar.halon.org.uk to my home machine 'chris.zbmc.eu'. However this *prevents* 'ssh chris' doing the obvious default thing it would normally do when I'm at home connected to the LAN. Instead of just connecting me to 'chris' (which it can find because I have dnsmasq running) it instead connects out to cheddar.halon.org.uk and then back to zbmc.eu, as directed by the ProxyCommand. -- Chris Green
Ditch the proxycommand and just set the ssh config to connect to zbmc.eu directly, and set the hostname for zbmc.eu internally with dnsmasq on your internal lan via /etc/hosts as already suggested. I don't see why you feel this won't work. Failing that put a script into ifup.d to detect which network you're on and write a line to /etc/hosts or comment it as appropriate (if you really must). Adam
On Mon, Sep 22, 2014 at 04:37:57PM +0100, Adam Bower wrote:
Ditch the proxycommand and just set the ssh config to connect to zbmc.eu directly, and set the hostname for zbmc.eu internally with dnsmasq on your internal lan via /etc/hosts as already suggested. I don't see why you feel this won't work.
It will of course, but then I'm left with a long complex procedure to connect to my home machine when I'm out and about. This is were we came in! :-) Obviously it's easy enough to set things up so when I'm at home (on the LAN) I can just type 'ssh chris' to connect to my desktop. However when I'm away from home I quickly get fed up with typing 'ssh cheddar.halon.org.uk' followed by 'ssh zbmc.eu' so I set up the ProxyCommand to make it so I can type just 'ssh chris'. All I was looking for was any easy way to switch from one mode to the other, preferably one that would work automatically. I can see all sorts of rather messy ways of doing it (others have suggested some), but I was hoping for a neat/elegant way of doing it. The best I can come up with at the moment is a script that detects whether it's on the LAN (using 'ping' does this fairly easily) and then edits the ~/.ssh/config file. However scripts that perform actions by editing configuration files on the fly make me a bit uncomfortable. A neater way might be to use the 'match' keyword in the ssh config file, I was hoping that maybe someone had already done something like this. -- Chris Green
On Mon, Sep 22, 2014 at 06:27:07PM +0100, Chris Green wrote:
On Mon, Sep 22, 2014 at 04:37:57PM +0100, Adam Bower wrote:
Ditch the proxycommand and just set the ssh config to connect to zbmc.eu directly, and set the hostname for zbmc.eu internally with dnsmasq on your internal lan via /etc/hosts as already suggested. I don't see why you feel this won't work.
It will of course, but then I'm left with a long complex procedure to connect to my home machine when I'm out and about.
No! Jesus, this is not hard to understand, please try. Create in your ssh config Host chris Hostname zbmc.eu and then on dnsmasq on the lan where this host is put into /etc/hosts the name zbmc.eu and the IP address of the machine on the local lan. Then the DNS lookup for this machine will resolve to the local IP address. Then you can type ssh chris and it will do the right thing. Adam
On Mon, Sep 22, 2014 at 08:25:10PM +0100, Adam Bower wrote:
On Mon, Sep 22, 2014 at 06:27:07PM +0100, Chris Green wrote:
On Mon, Sep 22, 2014 at 04:37:57PM +0100, Adam Bower wrote:
Ditch the proxycommand and just set the ssh config to connect to zbmc.eu directly, and set the hostname for zbmc.eu internally with dnsmasq on your internal lan via /etc/hosts as already suggested. I don't see why you feel this won't work.
It will of course, but then I'm left with a long complex procedure to connect to my home machine when I'm out and about.
No! Jesus, this is not hard to understand, please try.
Create in your ssh config
Host chris Hostname zbmc.eu
and then on dnsmasq on the lan where this host is put into /etc/hosts the name zbmc.eu and the IP address of the machine on the local lan. Then the DNS lookup for this machine will resolve to the local IP address.
Then you can type ssh chris and it will do the right thing.
Yes, it will do the right thing when I'm on the LAN. It will *not* do the right thing (connect via the intermediate machine) when I am connecting from elsewhere. Maybe I'm not explaining well but when I'm connecting from elsewhere my connection isn't direct to zbmc.eu. For security I only allow connections from two specific IP addresses, one of which is cheddar.halon.org.uk. So the procedure (in longhand) to connect from outside is:- ssh cheddar.halon.org.uk chris@cheddar.halon.org.uk's password: halon$ ssh zbmc.eu chris@zbmc.eu's password: Last login: Mon Sep 22 19:34:18 2014 from x201.zbmc.eu chris@chris$ Thus I have added the following lines in my ssh config file:- Host halon HostName cheddar.halon.org.uk Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22 These mean that I can enter 'ssh chris' from outside and it does all the work for me. However it also means that 'ssh chris' when I'm on the LAN also goes via cheddar.halon.org.uk because of the 'Host chris' line in the config file. -- Chris Green
On Mon, Sep 22, 2014 at 09:24:16PM +0100, Chris Green wrote:
Maybe I'm not explaining well but when I'm connecting from elsewhere my connection isn't direct to zbmc.eu. For security I only allow connections from two specific IP addresses, one of which is cheddar.halon.org.uk.
It won't really make it any more secure but if you're choosing to do it the hard way why not just use a bash alias instead or via the ifup.d method I suggested earlier? Adam
On 22/09/14 21:24, Chris Green wrote:
On Mon, Sep 22, 2014 at 08:25:10PM +0100, Adam Bower wrote:
No! Jesus, this is not hard to understand, please try.
Create in your ssh config
Host chris Hostname zbmc.eu
and then on dnsmasq on the lan where this host is put into /etc/hosts the name zbmc.eu and the IP address of the machine on the local lan. Then the DNS lookup for this machine will resolve to the local IP address.
Then you can type ssh chris and it will do the right thing.
Yes, it will do the right thing when I'm on the LAN. It will *not* do the right thing (connect via the intermediate machine) when I am connecting from elsewhere.
Maybe I'm not explaining well but when I'm connecting from elsewhere my connection isn't direct to zbmc.eu. For security I only allow connections from two specific IP addresses, one of which is cheddar.halon.org.uk.
So the procedure (in longhand) to connect from outside is:-
ssh cheddar.halon.org.uk chris@cheddar.halon.org.uk's password: halon$ ssh zbmc.eu chris@zbmc.eu's password: Last login: Mon Sep 22 19:34:18 2014 from x201.zbmc.eu chris@chris$
Thus I have added the following lines in my ssh config file:-
Host halon HostName cheddar.halon.org.uk
Host chris ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
These mean that I can enter 'ssh chris' from outside and it does all the work for me. However it also means that 'ssh chris' when I'm on the LAN also goes via cheddar.halon.org.uk because of the 'Host chris' line in the config file.
Another alternative, inside the LAN, just use ssh chris for outside the lan, create a bash script and call it sshchris2.sh or something short and snappy. put all your commands in that. Then if you at home just do ssh chris, away from home just sshchris2. Simple Sorted? Steve
On Mon, Sep 22, 2014 at 09:46:56PM +0100, steve-ALUG@hst.me.uk wrote:
These mean that I can enter 'ssh chris' from outside and it does all the work for me. However it also means that 'ssh chris' when I'm on the LAN also goes via cheddar.halon.org.uk because of the 'Host chris' line in the config file.
Another alternative, inside the LAN, just use ssh chris
for outside the lan, create a bash script and call it sshchris2.sh or something short and snappy. put all your commands in that. Then if you at home just do ssh chris, away from home just sshchris2. Simple Sorted?
Yes, I considered this. It would be pretty easy to invent two names for my machine 'chris' and use one from outside and the other on the LAN. I am just trying for perfection such that I can 'ssh chris' from anywhere! :-) I think I have done it now with the following in my ~/.ssh/config file:- Host halon HostName cheddar.halon.org.uk Match host chris exec "hostNotLocal chris" ProxyCommand ssh cheddar nc -q0 zbmc.eu 22 ... plus the script hostNotLocal which returns true if a host can't be found on the local LAN. Thus what happens when I enter 'ssh chris' is that the Match line looks to see if it can see 'chris' (that hostNotLocal just uses a ping), if it *can* see 'chris' then the ProxyCommand *doesn't* happen and the 'ssh chris' simply connects to the local 'chris'. On the other hand if 'chris' isn't there then the ProxyCommand does its work and my two stage login is done. Yes, I know it's quite complicated in a way but it does make my life a little simpler. :-) -- Chris Green
OK - so lots and lots of going round in circles happened... and it was all tedious... On 22 Sep 22:03, Chris Green wrote:
I think I have done it now with the following in my ~/.ssh/config file:-
Host halon HostName cheddar.halon.org.uk
Match host chris exec "hostNotLocal chris" ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
... plus the script hostNotLocal which returns true if a host can't be found on the local LAN. Thus what happens when I enter 'ssh chris' is that the Match line looks to see if it can see 'chris' (that hostNotLocal just uses a ping), if it *can* see 'chris' then the ProxyCommand *doesn't* happen and the 'ssh chris' simply connects to the local 'chris'. On the other hand if 'chris' isn't there then the ProxyCommand does its work and my two stage login is done.
Yes, I know it's quite complicated in a way but it does make my life a little simpler. :-)
But, erm, you could have just done the easy method, and made the ProxyCommand a script, the script then does one of: exec ssh cheddar nc -q0 zbmc.eu 22 Or exec nc -q0 the.internal.ip.address 22 You could even make that script sensible and be able to cope with different networks and working out what network you're connected to. Also has the advantage that you don't use Match in the ssh config, because, erm, that appears to be a recent addition (it has been in sshd_config for ages, it's not in wheezy's ssh_config), which means that it's more portable to other machines. (I used exactly this style system for *ages* at a previous place of employ, so I know that it works). -- Brett Parker
On Tue, Sep 23, 2014 at 12:29:13PM +0100, Brett Parker wrote:
OK - so lots and lots of going round in circles happened... and it was all tedious...
On 22 Sep 22:03, Chris Green wrote:
I think I have done it now with the following in my ~/.ssh/config file:-
Host halon HostName cheddar.halon.org.uk
Match host chris exec "hostNotLocal chris" ProxyCommand ssh cheddar nc -q0 zbmc.eu 22
... plus the script hostNotLocal which returns true if a host can't be found on the local LAN. Thus what happens when I enter 'ssh chris' is that the Match line looks to see if it can see 'chris' (that hostNotLocal just uses a ping), if it *can* see 'chris' then the ProxyCommand *doesn't* happen and the 'ssh chris' simply connects to the local 'chris'. On the other hand if 'chris' isn't there then the ProxyCommand does its work and my two stage login is done.
Yes, I know it's quite complicated in a way but it does make my life a little simpler. :-)
But, erm, you could have just done the easy method, and made the ProxyCommand a script, the script then does one of:
exec ssh cheddar nc -q0 zbmc.eu 22
Or
exec nc -q0 the.internal.ip.address 22
You could even make that script sensible and be able to cope with different networks and working out what network you're connected to.
Also has the advantage that you don't use Match in the ssh config, because, erm, that appears to be a recent addition (it has been in sshd_config for ages, it's not in wheezy's ssh_config), which means that it's more portable to other machines.
(I used exactly this style system for *ages* at a previous place of employ, so I know that it works).
Yes, I certainly could have done that if someone had come up with the idea when I first asked! :-) That was *exactly* the sort of thing I was hoping someone would know about. It just hadn't occurred to me to do it that way and I agree it is probably somewhat neater than the way I have used. -- Chris Green
participants (7)
-
Adam Bower -
Brett Parker -
Chris Green -
Laurie Brown -
Mark Rogers -
mick -
steve-ALUG@hst.me.uk