[Bug 1898] possible unreasonable behaviour when using ProxyCommand with multiple IdentityFile(s)

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Aug 14 04:24:02 EST 2011 

https://bugzilla.mindrot.org/show_bug.cgi?id=1898

Christoph Anton Mitterer <calestyo at scientia.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |REOPENED
         Resolution|FIXED                       |

--- Comment #4 from Christoph Anton Mitterer <calestyo at scientia.net> 2011-08-14 04:24:02 EST ---
Hi Daimen.

Well this is a very nice feature, but I think the unclear documentation
remains (and I asked several friends of mine how they'd interpret the
manpage an they've agreed).

It says "The default is ~/.ssh/identity for protocol version 1, and
~/.ssh/id_dsa, ~/.ssh/id_ecdsa and ~/.ssh/id_rsa for protocol version
2." as well as "It is possible to have multiple identity files
specified in configuration files; all these identities will be tried in
sequence."
So as I've mentioned in Comment 2 one should at least add something
like "These are taken as defaults, if after all block merging at no
block an IdentityFile was specified." (or a better wording of this).


Regarding your added feature could you - in addition - add something
like this:
Host a.foo.example
   bla

Host b.foo.example!
   bla

Host c.foo.example
   bla

Host *.foo.example !a.foo.example.
   bla

Now "a" wouldn't match the wildcard, as you've already implemented it.
"c" would match.
My idea of "b" (where the exclamation mark is at the end of the
hostname) is that when host matches that is postfixed by an "!"
matching stops here (after that block) for that name. So effectively,
*.foo.example wouldn't be applied for "b".
Now you can argue that this is similar to what you've done, but the
advantage is, that if you have many hostnames to be excluded (e.g. a.
to z. or even more) you don't have to re-write them all at the wildcard
block (which is quite error-prone).

You should however not remove your !-prefix syntax... IMHO both would
be quite reasonable.


Cheers,
Chris.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

More information about the openssh-bugs mailing list