[Bug 2267] Host matching uses modified hostname as well as original
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Sep 1 13:32:30 EST 2014
https://bugzilla.mindrot.org/show_bug.cgi?id=2267
--- Comment #3 from Damien Miller <djm at mindrot.org> ---
(In reply to Richard Birkett from comment #2)
> - ssh-keysign.c doesn't compile, as it's still calling
> read_config_file with the old function signature - adding an extra
> "" agument fixes the compilation, though I'm not certain whether
> that's actually correct!
serves me right for sending out a patch when I should have been asleep.
> - With canonicalisation enabled, "Match canonical" is giving a
> "Missing Match criteria for canonical" error during the second pass
> - the "continue" statement needs to apply to both branches of the
> "if (!post_canon)" test.
Thanks - I'll fix this in the next revision of the patch.
> Functionally, everything's much improved. With
> "CanonicalizeHostname no", the second scan is not happening, which
> is good. "Match host" and "Match originalhost" seem to do what
> they're supposed to do. There are a few oddities, though...
>
> - "Host" is still matching the value of a preceding HostName option
> - ie. it's behaving like "Match host", instead of "Match
> originalhost", which is what it did pre-6.6.
That's intentional and only triggered when canonicalisation is enabled.
I don't think it is unreasonable for the configuration parsing
behaviour to change when hostname canonicalisation is enabled.
> - With canonicalisation enabled, the second pass is triggered, but
> all the tests (Host, Match canonical host, Match canonical
> originalhost) now seem to match only the *uncanonicalised* hostname
> - so canonicalisation has actually stopped working altogether.
AFAIK only "match host" was incorrect here. Fixed in next patch.
> But I really like the "canonical" keyword on Match. In fact, this
> feels like a better solution all round than allowing one option
> (CanonicalizeHostname) to magically change the meaning of other
> options (Host and Match).
>
> A suggestion: can we deprecate the whole concept of "global"
> canonicalisation, and do it specifically when parsing "Match
> canonical [original]host"? That would also avoid the
> double-parsing, which I think can still have unintended
> consequences, even with the extra checks you've added.
>
> Unfortunately the problem is then deciding how to grandfather the
> 6.6-style behaviour into the more flexible framework. Could we
> perhaps make "CanonicalizeHostname yes" immediately abort parsing
> and start again, with a flag set to treat plain "Host" and "Match
> [original]host" as if they were "Match canonical [original]host"?
I considered that, but a) I don't want to add more flags
(canonicalisation added more than I wanted already) and b) I think it
would be even more difficult to reason about.
I also considered adding a "RereadConfiguration yes|no|if-canon" flag,
but I'd prefer to make something that doesn't need an extra flag and is
backwards compatible when canonicalisation is off (I don't mind
changing behaviour when it is enabled).
--
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list