[Bug 3544] New: Support CIDR notation for host pattern matching
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Mon Feb 27 14:33:21 AEDT 2023
https://bugzilla.mindrot.org/show_bug.cgi?id=3544
Bug ID: 3544
Summary: Support CIDR notation for host pattern matching
Product: Portable OpenSSH
Version: 9.1p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: Miscellaneous
Assignee: unassigned-bugs at mindrot.org
Reporter: bts at square-r00t.net
(I considered putting this in ssh-keygen, but it's not just for
known_hosts.)
It would be fantastic if CIDR notation/matching for IPv4 and IPv6
address prefixes could be supported in "Host" matchers for ssh_config
and for the host matching in (ssh_)known_hosts.
I bumped into this the other day and assumed that because the
AllowUsers and AllowGroups scoping allows for CIDR prefixes, that the
same would be true for known_hosts.
This would be immensely beneficial for deploying system-wide
known_hosts across my fleet, namely because GitHub git server addresses
all use the same hostkeys (for sufficient reason, I suppose) but
encompass *many* different addresses/networks[0].
While I can certainly glob the addresses, globbing/wildcarding is a
particularly clumsy and perhaps outdated method of matching and, in
this case, leads to multiple host matchers (since one can't effectively
glob a /22, for instance, without splitting it into 4x /24's) when one
could suffice.
Using CIDR prefixes has the additional benefit of potentially faster
match processing, since comparison could be done via
bitshifting/bitwise operations et. al.
[0] https://api.github.com/meta (Refer to the "git" key.)
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list