[PATCH] Allow matching HostName against Host entries

Damien Miller djm at mindrot.org
Sat Apr 13 10:06:50 EST 2013

On Fri, 12 Apr 2013, Ben Lindstrom wrote:

> Is there no way to pull this information from the resolv.conf file in
> an universal way? It really would suck having yet another location for
> DNS search paths to maintain an environment.

Pulling it from resolv.conf permits attacks from a rogue/hostile DHCP
server again. The main attack here is host subsitution, if a user happens
to have multiple servers with the same hostname but different domains names
(e.g. "www.good.com" and "www.evil.com") then someone who can spoof the 
suffix order could trick a ssh client that used it for canonicalisation
to make a user connect to the wrong host completely transparently.

It's an unlikely scenario for users on small networks, but in a large
organisation with multiple subdomains it could be a useful trick for
an attacker who wants to widen the set of hosts they have compromised.

> And out of interest what would your intent be for those names who
> still fail this qualification test?

They would fall back to regular resolution.

> ## Where minecraft "host" is really a fast alias to set username, an other
> ## information to correctly log into generic.server.com without having to
> ## hand specific them all the time.
> Host minecraft   
> 	User minecraft
> 	Hostname generic.server.com 

So you could do something like:

Host minecraft
	User minecraft
	Hostname generic.server.com

HostnameSuffixes foo.com ext.foo.com


More information about the openssh-unix-dev mailing list