Question about host certificates

Iain Morgan imorgan at
Wed Jun 16 08:01:03 EST 2010

On Mon, Jun 14, 2010 at 23:28:57 -0500, Damien Miller wrote:
> On Mon, 14 Jun 2010, Iain Morgan wrote:
> > > I'd like to do CIDR matching in ssh_config, but it is tricky and might turn
> > > out to be too confusing to be practical. On the other hand, your idea is
> > > simple and could work so here is a patch :)
> > 
> > I agree that CIDR support in the ssh_config would be _very_ nice, but I
> > recognize that implementing it in a reasonable way could, as you said,
> > be tricky. 
> > 
> > Thanks for the patch. I had written something similar, except that I
> > didn't take into account the affect on LocalCommand. I haven't tested
> > your patch yet, but it should do the trick.
> Another idea: use the struct addrinfo->ai_canonname filled in by
> getaddrinfo with ai_hints = AI_CANONNAME as a potential match key.
> On Linux and OpenBSD at least, this will append the domain name when
> passed an unqualified name that is subsequently looked up by DNS.

I haven't tested it, but it looks like AI_CANONNAME should also work on
Solaris and AIX.

> It will also follow PTR records though, so it would be vulnerable to
> DNS spoofing. I suppose once could add a heuristic that it is only used
> IFF the original hostname is unqualified AND matches the first component
> of the qualified hostname returned via AI_CANONNAME but that seems a
> little hacky...

Does it only follow PTR records if the first argument is an explicit IP
address? If so, we could test whether the supplied hostname is really an
IP address and skip setting AI_CANONNAME.

> I wish there was some simple way to get feedback from the resolver as to
> which DNS suffix was actually used to resolve an unqualified name. Anyone?
> -d

Iain Morgan

More information about the openssh-unix-dev mailing list