search

ronf / asyncssh

AsyncSSH is a Python package which provides an asynchronous client and server implementation of the SSHv2 protocol on top of the Python asyncio framework.
Eclipse Public License 2.0
1.56k stars 156 forks source link

Support for hostname canonicalization in ssh client config #713

Open siliconblade opened 1 week ago

siliconblade commented 1 week ago

Currently asyncssh does not support hostname canonicalization in the client config [docs]. Please add support for the following client options that are present in openssh:

CanonicalizeHostname yes CanonicalDomains example.org example.com CanonicalizeMaxDots 1 CanonicalizeFallbackLocal yes CanonicalizePermittedCNAMEs *.redis.example.org:redis.example.com

Paramiko has implemented these partially.

ronf commented 5 days ago

I'll look into this. It appears to be pretty straightforward, but there's a lot of new config as you pointed out here, plus an additional "Match canonical" option in the config file and a need to reload the config whenever canonicalization happens.

In the meantime, you can get the same result as this by just creating "Host" entries in your config file with both the short and long name. For instance:

Host host1 host1.example.com
    Hostname host1.example.com

Host host2 host2.example.com
    Hostname host2.example.com

Host host3 host3.example.net
    Hostname host3.example.net

With this config, you can use either the short or long name as the target host when running SSH. The hostname it looks up in DNS will be whatever hostname you put in the Hostname option. You can even use IP addresses there if the target host doesn't have an entry in DNS but you still want to refer to it using a name. In that sense, it's more flexible than hostname canonicalization, but it has to be set up on a per-host basis.

siliconblade commented 5 days ago

Thank you @ronf for looking into this. Unfortunately there are a ton of hosts that need full names and there can be multiple domains to consider. We have a workaround for this, but having configs in multiple places adds to user confusion.

ronf commented 5 days ago

Yeah, understood.

I made some good progress today on this. I have all the config and options pieces done to pass in the new configuration, and a first cut at the canonicalization function itself. I'm still debugging that and additional work will be required to handle the case where SSH tunnels are involved, and to handle the enforcement of CanonicalizePermittedCNAMEs to decide whether to return a CNAME or not, but it's a start!

I've also got documentation and unit tests to write once I get the basic functionality working, so it may be a week or two before this is fully done. However, if you're interested in trying out a preview of it, I could potentially make a first cut available once I have something working.

siliconblade commented 4 days ago

Definitely a great start and more than happy to test early versions. Thank you!