[PATCH] Allow matching HostName against Host entries

Ryan Kavanagh rak at debian.org
Tue Apr 9 11:09:41 EST 2013 

Hi Ben,

On Monday, April  8, 2013 at 13:13:38 -0500, Ben Lindstrom wrote:
> Isn't this failure to understand that the Host list is in first
> match order?  So place what you wish to have highest priority first,
> and then the remaining wildcard matches towards the bottom.

Far from it, this patch helps users make use of the fact that the Host
list is in first match order. Very briefly put, what it lets you do is
have ssh also try to match the first HostName entry from a matching
Host stanza against any subsequent Host stanzas. Without this patch,
if you had a stanza like

	Host myhost
	     HostName myhost.foo.bar

the command "ssh myhost" would not have ssh match against the stanza

	Host *.foo.bar
	     Foo1 Bar1

You could argue that I could just setup the "search" option in
resolv.conf. But what if I have hosts outside of my local domain, or
my administrator doesn't give me edit writes to /etc/resolv.conf? You
could also argue that I could change this wildcard to

	Host *.foo.bar myhost
	     Foo1 Bar1

but this quickly becomes unmanageable with complex config files, as my
example below shows.

> I've been doing this for ages without needing yet another option.
> Unless your description isn't fully explaining why we need this
> option.

Maybe my example wasn't clear. Imagine you have 510 boxes split across
two networks; 255 are in a student lab, and the remaining 255 are in a
professor lab. Let's make things dramatic and imagine you have
settings for each one of these machines, and settings for each lab,
and settings for both labs. You want to have an alias for each host,
for example, you want to be able to go "ssh slab1" to connect to
"lab1.student.lab" (for the sake of simplicity, I've just numbered
things and one could just use a "slab*" wildcard, but let's keep in
mind cases where this wouldn't work). Under the current ssh_config,
you'd have something that looked like:

	#### BEGIN CURRENT SSH_CONFIG ####
	VisualHostKey yes

	Host slab1
	     User slab1
	     HostName lab1.student.lab

	## Repeat for slab{2..254}

	Host slab255
	     User slab255
	     Hostname lab255.student.lab

	Host plab1
	     User plab1
	     HostName lab1.professor.lab

	## plab{2..254}

	Host plab255
	     User plab255
	     HostName lab255.professor.lab

	# Insert whatever other hosts you know of

	Host *.student.lab slab1 slab2 ... slab255
	     IdentityFile ~/.ssh/id_ecdsa.slab
	     UserKnownHostsFile ~/.ssh/known_hosts.d/student.lab

	Host *.professor.lab plab1 plab2 ... plab255
	     IdentityFile ~/.ssh/id_ecdsa.plab
	     UserKnownHostsFile ~/.ssh/known_hosts.d/professor.lab

	Host *.lab slab1 slab2 ... slab255 plab1 plab2 ... plab255
	     VisualHostKey no
	     ForwardX11 yes
	#### END CURRENT SSH_CONFIG ####

Note that the Host lines matching each lab will be 256 entries long,
and the one matching both labs will be 511 entries long. Now imagine
being able to match the corresponding HostName entry against a
wildcard. With my patch, your config would look like:

	#### BEGIN PROPOSED SSH_CONFIG ####
	MatchHostName yes
	# ^^^^ This is the magic line
	VisualHostKey yes

	Host slab1
	     User slab1
	     HostName lab1.student.lab

	## Repeat for slab{2..254}

	Host slab255
	     User slab255
	     Hostname lab255.student.lab

	Host plab1
	     User plab1
	     HostName lab1.professor.lab

	## plab{2..254}

	Host plab255
	     User plab255
	     HostName lab255.professor.lab

	# Insert whatever other hosts you know of

	Host *.student.lab
	     IdentityFile ~/.ssh/id_ecdsa.slab
	     UserKnownHostsFile ~/.ssh/known_hosts.d/student.lab

	Host *.professor.lab
	     IdentityFile ~/.ssh/id_ecdsa.plab
	     UserKnownHostsFile ~/.ssh/known_hosts.d/professor.lab

	Host *.lab
	     VisualHostKey no
	     ForwardX11 yes
	#### END PROPOSED SSH_CONFIG ####

In my opinion, this proposed ssh_config is considerably cleaner, and
easier to understand and manage. My own interest in this patch is
similar. I have a couple dozen hosts I connect to across three
domains. I'd like to be able to connect to each of these by using the
subdomain (set with HostName in a Host stanza matching the subdomain),
while still having the domain wildcard matched.

As for implementation, the "MatchHostName yes" doesn't need to be
enabled globally as in the example above. It can be used only for
certain aliases. Moreover, my patch only takes effect once there's
been a HostName entry in a matching Host stanza and MatchHostName has
been enabled.

I hope this helps, please let me know if you have any questions,
concerns, or comments.

Best wishes,
Ryan

-- 
|_)|_/	Ryan Kavanagh		| Debian Developer
| \| \	http://ryanak.ca/	| GPG Key 4A11C97A

More information about the openssh-unix-dev mailing list