Question about host certificates

Damien Miller djm at
Tue Jun 15 14:28:57 EST 2010

On Mon, 14 Jun 2010, Iain Morgan wrote:

> > I'd like to do CIDR matching in ssh_config, but it is tricky and might turn
> > out to be too confusing to be practical. On the other hand, your idea is
> > simple and could work so here is a patch :)
> I agree that CIDR support in the ssh_config would be _very_ nice, but I
> recognize that implementing it in a reasonable way could, as you said,
> be tricky. 
> Thanks for the patch. I had written something similar, except that I
> didn't take into account the affect on LocalCommand. I haven't tested
> your patch yet, but it should do the trick.

Another idea: use the struct addrinfo->ai_canonname filled in by
getaddrinfo with ai_hints = AI_CANONNAME as a potential match key.
On Linux and OpenBSD at least, this will append the domain name when
passed an unqualified name that is subsequently looked up by DNS.

It will also follow PTR records though, so it would be vulnerable to
DNS spoofing. I suppose once could add a heuristic that it is only used
IFF the original hostname is unqualified AND matches the first component
of the qualified hostname returned via AI_CANONNAME but that seems a
little hacky...

I wish there was some simple way to get feedback from the resolver as to
which DNS suffix was actually used to resolve an unqualified name. Anyone?


More information about the openssh-unix-dev mailing list