[Bug 2906] New: Need something like 'Match finalpass'

[bugzilla-daemon at bugzilla.mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=2906

            Bug ID: 2906
           Summary: Need something like 'Match finalpass'
           Product: Portable OpenSSH
           Version: 7.7p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: zenczykowski at gmail.com

If canonicalization is on this should behave like 'Match canonical'.
If it isn't it should behave like 'Match all' or 'Host *'.

See https://bugzilla.redhat.com/show_bug.cgi?id=1630166 for extra
details, but:

Basically if system /etc/ssh/ssh_config has a:

  Host *
    Key foo

clause, then this trumps any ~/.ssh/config:

  Host blah.org
    Key bar

setting if user attempts to 'ssh blah'  (where blah canonicalizes to
blah.org).

This is because of config file parse order: first ~/.ssh/config which
doesn't match on non-canonical hostname, then /etc/ssh/ssh_config which
matches on * and sets Key=foo.  Then on re-parse with canonical
hostname user's Host blah.org matches, but it's too late to set Key=bar
because it's already been set.

(perhaps related, but perhaps there should also be some sort of special
handling for 'Key +bar' or 'Key -bar' to treat it as append/remove
instead of override, but that would be far more difficult to implement)

-- 
You are receiving this mail because:
You are watching the assignee of the bug.