[Bug 3544] New: Support CIDR notation for host pattern matching

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Mon Feb 27 14:33:21 AEDT 2023


https://bugzilla.mindrot.org/show_bug.cgi?id=3544

            Bug ID: 3544
           Summary: Support CIDR notation for host pattern matching
           Product: Portable OpenSSH
           Version: 9.1p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: Miscellaneous
          Assignee: unassigned-bugs at mindrot.org
          Reporter: bts at square-r00t.net

(I considered putting this in ssh-keygen, but it's not just for
known_hosts.)

It would be fantastic if CIDR notation/matching for IPv4 and IPv6
address prefixes could be supported in "Host" matchers for ssh_config
and for the host matching in (ssh_)known_hosts.

I bumped into this the other day and assumed that because the
AllowUsers and AllowGroups scoping allows for CIDR prefixes, that the
same would be true for known_hosts.

This would be immensely beneficial for deploying system-wide
known_hosts across my fleet, namely because GitHub git server addresses
all use the same hostkeys (for sufficient reason, I suppose) but
encompass *many* different addresses/networks[0].

While I can certainly glob the addresses, globbing/wildcarding is a
particularly clumsy and perhaps outdated method of matching and, in
this case, leads to multiple host matchers (since one can't effectively
glob a /22, for instance, without splitting it into 4x /24's) when one
could suffice.

Using CIDR prefixes has the additional benefit of potentially faster
match processing, since comparison could be done via
bitshifting/bitwise operations et. al.


[0] https://api.github.com/meta (Refer to the "git" key.)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list