Question about host certificates

Iain Morgan imorgan at nas.nasa.gov
Tue Jun 15 09:04:27 EST 2010


On Fri, Jun 11, 2010 at 06:57:08 -0500, Damien Miller wrote:
> On Fri, 4 Jun 2010, Iain Morgan wrote:
> 
> > Hi Damine,
> > 
> > If possible, I would prefer hostname or CIDR support. In either case, it
> > might be worthwhile to use addr_match_list() instead of match_hostname()
> > to handle the (admittedly rare) case where an explicit IP address is
> > used on the command-line.
> > 
> > Yet another approach occurred to me recently. It would not be a complete
> > solution but would have the virtue of being simple and could address
> > (for the most part) environments such as compute clusters: Generalize
> > the HostName directive. In particular, add support for a %h macro. That
> > would allow something like this in ~/.ssh/config:
> > 
> > Host foo bar baz quux
> > 	HostName	%h.example.com
> > 
> > In cases where the list of unqualified hostnames can easily be
> > enumerated or match a convenient pattern, this could be a solution.
> 
> I'd like to do CIDR matching in ssh_config, but it is tricky and might turn
> out to be too confusing to be practical. On the other hand, your idea is
> simple and could work so here is a patch :)
> 

I agree that CIDR support in the ssh_config would be _very_ nice, but I
recognize that implementing it in a reasonable way could, as you said,
be tricky. 

Thanks for the patch. I had written something similar, except that I
didn't take into account the affect on LocalCommand. I haven't tested
your patch yet, but it should do the trick.

-- 
Iain Morgan


More information about the openssh-unix-dev mailing list