multiple Host entries in ssh_config
Darren Tucker
dtucker at zip.com.au
Wed Sep 28 15:50:34 EST 2005
Vincent McIntyre wrote:
> Hi list,
>
> I have looked over the documentation and done some experiments,
> and I'm now really confused about how this supposed to work so I'm
> appealing to you. If this is a faq perhaps I can write it up in a
> patch to the existing faq.
>
> I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the
> 4.x manpages but haven't tried that version of the software, the
> manpage looks no different.
>
> What I want to do is write an /etc/ssh/ssh_config that allows X11
> forwarding to _some_ hosts by default, and not others, viz:
> ssh baz X11 forwarded
> ssh baz.my.domain X11 forwarded
> ssh biff.notmydom.com not forwarded
> ie I want to trust hosts in my domain but not outside it.
>
> I tried various orderings of
> Host *
> ForwardX11 yes
> Host *.my.domain
> ForwardX11 yes
> Host *.*
> ForwardX11 no
>
> but couldn't find anything that seemed to work as desired.
> In particular, it seems it is not possible to override X11 forwarding
> again once one of the entries has turned it on. Take the notmydomain.com
> case - it matches *, then matches *.*, but X11 forwarding is still
> allowed. I presume this is due to the first match?
>
> Is this the way it is supposed to work? If so, why?
Yes, the config keywords are first-match. Why? Dunno, but it's been
that way for a long time.
It does mean you can use a leading "Host *" block as a global override,
and a trailing "Host *" as a global default.
This ought to do what you want:
# match local domain
Host *.my.domain
ForwardX11 yes
# match any other qualified domain
Host *.*
ForwardX11 no
# match remaining (local) hosts
Host *
ForwardX11 yes
--
Darren Tucker (dtucker at zip.com.au)
GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
More information about the openssh-unix-dev
mailing list