[Bug 2267] New: Host matching uses modified hostname as well as original
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Aug 30 21:20:12 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2267
Bug ID: 2267
Summary: Host matching uses modified hostname as well as
original
Product: Portable OpenSSH
Version: 6.6p1
Hardware: All
OS: All
Status: NEW
Severity: normal
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: openssh at richard.birkett.com
Since some of the recent changes to hostname canonicalisation, use of
the HostName config option is now triggering a re-read of the
configuration, trying to find Host sections that match the *new*
hostname. Arguably this behaviour might be useful, but it's a
significant functional change.
There is also a documentation bug here: the description of Host says
that even canonicalisation will not change the behaviour of Host
matching, whereas the description of CanonicalizeHostname says that it
will! But even with canonicalisation on, only canonicalised hostnames
should be matched, not any explicit changes specfied by HostName.
More worryingly, the problem seems to affect "Match OriginalHost",
which is also documented only ever to match the text that was given on
the command-line (maybe modified by canonicalisation, depending which
section of the manpage you read).
The double-scan also introduces uncertainty about the order in which
sections are matched, which can have serious functional consequences in
complex config files. Maybe all options should be thrown away before
the second scan, to avoid surprises. Or perhaps simply say that
"CanonicalizeHostname yes" only takes effect for config lines that come
after it in the file, rather than triggering a second scan at all.
The change that introduced the regression seems to be the one labelled
in the ChangeLog as "djm at cvs.openbsd.org 2014/02/23 20:11:36" (ssh.c
revision 1.400), first released in 6.6p1.
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list