CanonicalizeHostname issues with multiple config blocks
Damien Miller
djm at mindrot.org
Wed Nov 5 10:59:36 EST 2014
On Mon, 3 Nov 2014, Robin McCorkell wrote:
> When using the CanonicalizeHostname and CanonicalDomains directives, the
> options parsed before the hostname is canonicalized cannot be overridden by
> more specific blocks after canonicalization. For example:
>
> CanonicalizeHostname yes
> CanonicalDomains foo.bar.com
>
> Host *.foo.bar.com
> GSSAPIAuthentication yes
>
> Host *
> GSSAPIAuthentication no
>
> If connecting to 'srv.foo.bar.com', then GSSAPI authentication is enabled.
> But connecting to 'srv', even though it is canonicalized correctly to '
> srv.foo.bar.com', does not enable GSSAPI authentication as the 'Host *'
> block is parsed before canonicalization and cannot be then overridden by
> the more specific block.
That's expected. With CanonicalizeHostname enabled, the config file is
parsed twice: once with the short name (and to pick up the
CanonicalizeHostname directive itself) and then again with the canonicalised
name.
OpenSSH 6.8 will offer more control here using some extensions to the
Match keyword: a new "canonical" criteria that causes it to match only
during the second pass:
CanonicalizeHostname yes
CanonicalDomains foo.bar.com
Match canonical *.foo.bar.com
GSSAPIAuthentication yes
Match canonical *
GSSAPIAuthentication no
Sorry I didn't think of this sooner :/
-d
More information about the openssh-unix-dev
mailing list