multiple Host entries in ssh_config

[Vincent McIntyre]

Hi list,

I have looked over the documentation and done some experiments,
and I'm now really confused about how this supposed to work so I'm
appealing to you. If this is a faq perhaps I can write it up in a
patch to the existing faq.

I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the
4.x manpages but haven't tried that version of the software, the
manpage looks no different.

What I want to do is write an /etc/ssh/ssh_config that allows X11
forwarding to _some_ hosts by default, and not others, viz:
  ssh baz                 X11 forwarded
  ssh baz.my.domain       X11 forwarded
  ssh biff.notmydom.com   not forwarded
ie I want to trust hosts in my domain but not outside it.

I tried various orderings of
  Host *
    ForwardX11 yes
  Host *.my.domain
    ForwardX11 yes
  Host *.*
    ForwardX11 no

but couldn't find anything that seemed to work as desired.
In particular, it seems it is not possible to override X11 forwarding
again once one of the entries has turned it on. Take the notmydomain.com
case - it matches *, then matches *.*, but X11 forwarding is still
allowed. I presume this is due to the first match?

Is this the way it is supposed to work? If so, why?

Kind regards
Vincent McIntyre                                vmcintyr at atnf.csiro.au
Australia Telescope National Facility, CSIRO     voice:+61-2-9372-4643
PO Box 76, Epping, NSW 1710, AUSTRALIA             fax:+61-2-9372-4442