case sensitive hostname matching

Petr Cerny pcerny at suse.cz
Sat Mar 4 07:15:42 AEDT 2017


Randall S. Becker wrote:
>> Given that hostnames are ususally interpreted in a case insensitive
>> way (and the code actually expects the input to be lowercased
>> anyway) it might be good to perform the comparisons as such. We can
>> either make sure match_hostname() receives a lowercased string
>> indeed or perform the lowercasing there (carefully as not to
>> introduce side effects).
>>
>> One question is, whether *any* hostname matching should be case
>> insensitive or whether originalhost is better left alone (I can
>> think of reasons for case sensitive matching there, yet they seem
>> to be bordering on misuse of the code).
>>
>> I've also opened https://bugzilla.mindrot.org/show_bug.cgi?id=2685
>> (patch is attached there as well).
>
> While it might be theoretically a good idea, some security
> implementations have issues with multiple key pairs specified for a
> single delegate user (say 'git') on the same host. I'm not saying
> that this is the correct way to do it, but some ~/.ssh/config files
> differentiate the same user on the same host with different keys
> using Abc.domain vs. AbC.domain, allowing multiple key-pair
> identities. Moving to case-insensitive comparisons inside
> ~/.ssh/config would break this legacy behaviour for which there does
> not appear to be good work-arounds in some setups.

Interesting. I suppose this kind of setup uses the `Host` sections - if 
used as `Match originalhost` then the attached patch, which doesn't 
touch original host. Or, possibly better way - make this an option.

Thanks
Kind regards
	Petr


More information about the openssh-unix-dev mailing list