[Bug 2267] Host matching uses modified hostname as well as original

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Sep 1 04:47:03 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2267

--- Comment #2 from Richard Birkett <openssh at richard.birkett.com> ---
That's great, thanks Damien.

A couple of compilation/typo errors:

- ssh-keysign.c doesn't compile, as it's still calling read_config_file
with the old function signature - adding an extra "" agument fixes the
compilation, though I'm not certain whether that's actually correct!

- With canonicalisation enabled, "Match canonical" is giving a "Missing
Match criteria for canonical" error during the second pass - the
"continue" statement needs to apply to both branches of the "if
(!post_canon)" test.

Functionally, everything's much improved.  With "CanonicalizeHostname
no", the second scan is not happening, which is good.  "Match host" and
"Match originalhost" seem to do what they're supposed to do.  There are
a few oddities, though...

- "Host" is still matching the value of a preceding HostName option -
ie. it's behaving like "Match host", instead of "Match originalhost",
which is what it did pre-6.6.

- With canonicalisation enabled, the second pass is triggered, but all
the tests (Host, Match canonical host, Match canonical originalhost)
now seem to match only the *uncanonicalised* hostname - so
canonicalisation has actually stopped working altogether.

But I really like the "canonical" keyword on Match.  In fact, this
feels like a better solution all round than allowing one option
(CanonicalizeHostname) to magically change the meaning of other options
(Host and Match).

A suggestion: can we deprecate the whole concept of "global"
canonicalisation, and do it specifically when parsing "Match canonical
[original]host"?  That would also avoid the double-parsing, which I
think can still have unintended consequences, even with the extra
checks you've added.

Unfortunately the problem is then deciding how to grandfather the
6.6-style behaviour into the more flexible framework.  Could we perhaps
make "CanonicalizeHostname yes" immediately abort parsing and start
again, with a flag set to treat plain "Host" and "Match [original]host"
as if they were "Match canonical [original]host"?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.


More information about the openssh-bugs mailing list