I frequently need to ssh into an arbitrary computer from a particular cluster (all machines in the cluster are identical). However, the set of available machines in the cluster changes frequently, so I have a script that returns an arbitrary hostname from the cluster that is available and matches my requirements (e.g., online and running the correct OS).
Note also, that I'm using Kerberos (GSSAPIAuthentication) credential forwarding for authentication.
Right now, I ssh in using ssh `get_host`
. I would like to instead execute ssh cluster
. With a known hostname, this is easy with the following in /ssh/config
:
Host cluster
HostName static_host.cluster.domain.tld
GSSAPIAuthentication yes
GSSAPIDelegateCredentials yes
How can I select the HostName
dynamically, using my script? (Or does SSH have a different method to support my desired function?) I would like to do something like the following, but it does not work:
Host cluster
HostName `get_host` # This does not work
...
Grawity showed that the ProxyCommand
can be a script that gets the hostname and forwards the ssh
connection to it using netcat
or socat
. However, this isn't forwarding the Kerberos credentials. Help with this is appreciated as well.
EDIT:
You can't do this with Kerberos as I would like (see comments in the accepted answer). So, I'm using this script, ssh-wrapper
, as an ssh
alias to do dynamic rewriting on the ssh
command-line argument. It's not robust, but it works for me.
#!/bin/bash
# Mapping between host aliases and dynamically-generated hostname
declare -A MAP
MAP[cluster]=`gethost`
# Find and replace on all positional args
args=$*
for key in ${!MAP[@]}; do
replace=${MAP[$key]}
args=`echo ${args} | sed "s/\(^\|[[:space:]]\)${key}\(\$\|[[:space:]]\)/${replace}/"`
done
# Execute using called-name if not this script
if [ "ssh-wrapper" != "`basename $0`" ]; then
exec $0 ${args}
# Otherwise, assume ssh and execute
else
exec ssh ${args}
fi
Best Answer
~/.ssh/config
:~/bin/cluster-connect
: