Question about host certificates

Damien Miller djm at mindrot.org
Fri Jun 11 21:57:08 EST 2010 

On Fri, 4 Jun 2010, Iain Morgan wrote:

> Hi Damine,
> 
> If possible, I would prefer hostname or CIDR support. In either case, it
> might be worthwhile to use addr_match_list() instead of match_hostname()
> to handle the (admittedly rare) case where an explicit IP address is
> used on the command-line.
> 
> Yet another approach occurred to me recently. It would not be a complete
> solution but would have the virtue of being simple and could address
> (for the most part) environments such as compute clusters: Generalize
> the HostName directive. In particular, add support for a %h macro. That
> would allow something like this in ~/.ssh/config:
> 
> Host foo bar baz quux
> 	HostName	%h.example.com
> 
> In cases where the list of unqualified hostnames can easily be
> enumerated or match a convenient pattern, this could be a solution.

I'd like to do CIDR matching in ssh_config, but it is tricky and might turn
out to be too confusing to be practical. On the other hand, your idea is
simple and could work so here is a patch :)

Index: ssh.c
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh.c,v
retrieving revision 1.338
diff -u -p -r1.338 ssh.c
--- ssh.c	16 May 2010 12:55:51 -0000	1.338
+++ ssh.c	11 Jun 2010 11:56:35 -0000
@@ -663,6 +663,11 @@ main(int ac, char **av)
 		options.port = sp ? ntohs(sp->s_port) : SSH_DEFAULT_PORT;
 	}
 
+	if (options.hostname != NULL) {
+		host = percent_expand(options.hostname,
+		    "h", host, (char *)NULL);
+	}
+
 	if (options.local_command != NULL) {
 		char thishost[NI_MAXHOST];
 
@@ -672,15 +677,11 @@ main(int ac, char **av)
 		debug3("expanding LocalCommand: %s", options.local_command);
 		cp = options.local_command;
 		options.local_command = percent_expand(cp, "d", pw->pw_dir,
-		    "h", options.hostname? options.hostname : host,
-                    "l", thishost, "n", host, "r", options.user, "p", buf,
-                    "u", pw->pw_name, (char *)NULL);
+		    "h", host, "l", thishost, "n", host, "r", options.user,
+		    "p", buf, "u", pw->pw_name, (char *)NULL);
 		debug3("expanded LocalCommand: %s", options.local_command);
 		xfree(cp);
 	}
-
-	if (options.hostname != NULL)
-		host = options.hostname;
 
 	/* force lowercase for hostkey matching */
 	if (options.host_key_alias != NULL) {
Index: ssh_config.5
===================================================================
RCS file: /cvs/src/usr.bin/ssh/ssh_config.5,v
retrieving revision 1.133
diff -u -p -r1.133 ssh_config.5
--- ssh_config.5	16 Apr 2010 06:45:01 -0000	1.133
+++ ssh_config.5	11 Jun 2010 11:56:36 -0000
@@ -526,6 +526,10 @@ or for multiple servers running on a sin
 .It Cm HostName
 Specifies the real host name to log into.
 This can be used to specify nicknames or abbreviations for hosts.
+If the hostname contains the character sequence
+.Ql %h ,
+then this will be replaced with the host name specified on the commandline
+(this is useful for manipulating unqualified names).
 The default is the name given on the command line.
 Numeric IP addresses are also permitted (both on the command line and in
 .Cm HostName

More information about the openssh-unix-dev mailing list