[Bug 2267] New: Host matching uses modified hostname as well as original

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Aug 30 21:20:12 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2267

            Bug ID: 2267
           Summary: Host matching uses modified hostname as well as
                    original
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: openssh at richard.birkett.com

Since some of the recent changes to hostname canonicalisation, use of
the HostName config option is now triggering a re-read of the
configuration, trying to find Host sections that match the *new*
hostname.  Arguably this behaviour might be useful, but it's a
significant functional change.

There is also a documentation bug here: the description of Host says
that even canonicalisation will not change the behaviour of Host
matching, whereas the description of CanonicalizeHostname says that it
will!  But even with canonicalisation on, only canonicalised hostnames
should be matched, not any explicit changes specfied by HostName.

More worryingly, the problem seems to affect "Match OriginalHost",
which is also documented only ever to match the text that was given on
the command-line (maybe modified by canonicalisation, depending which
section of the manpage you read).

The double-scan also introduces uncertainty about the order in which
sections are matched, which can have serious functional consequences in
complex config files.  Maybe all options should be thrown away before
the second scan, to avoid surprises.  Or perhaps simply say that
"CanonicalizeHostname yes" only takes effect for config lines that come
after it in the file, rather than triggering a second scan at all.

The change that introduced the regression seems to be the one labelled
in the ChangeLog as "djm at cvs.openbsd.org 2014/02/23 20:11:36" (ssh.c
revision 1.400), first released in 6.6p1.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list