[PATCH] Allow matching HostName against Host entries
djm at mindrot.org
Sat Apr 13 10:06:50 EST 2013
On Fri, 12 Apr 2013, Ben Lindstrom wrote:
> Is there no way to pull this information from the resolv.conf file in
> an universal way? It really would suck having yet another location for
> DNS search paths to maintain an environment.
Pulling it from resolv.conf permits attacks from a rogue/hostile DHCP
server again. The main attack here is host subsitution, if a user happens
to have multiple servers with the same hostname but different domains names
(e.g. "www.good.com" and "www.evil.com") then someone who can spoof the
suffix order could trick a ssh client that used it for canonicalisation
to make a user connect to the wrong host completely transparently.
It's an unlikely scenario for users on small networks, but in a large
organisation with multiple subdomains it could be a useful trick for
an attacker who wants to widen the set of hosts they have compromised.
> And out of interest what would your intent be for those names who
> still fail this qualification test?
They would fall back to regular resolution.
> ## Where minecraft "host" is really a fast alias to set username, an other
> ## information to correctly log into generic.server.com without having to
> ## hand specific them all the time.
> Host minecraft
> User minecraft
> Hostname generic.server.com
So you could do something like:
HostnameSuffixes foo.com ext.foo.com
More information about the openssh-unix-dev