[PATCH] Allow matching HostName against Host entries

Iain Morgan imorgan at nas.nasa.gov
Wed Apr 10 05:00:43 EST 2013 

On Mon, Apr 08, 2013 at 20:09:41 -0500, Ryan Kavanagh wrote:
> Hi Ben,
> 
> On Monday, April  8, 2013 at 13:13:38 -0500, Ben Lindstrom wrote:
> > Isn't this failure to understand that the Host list is in first
> > match order?  So place what you wish to have highest priority first,
> > and then the remaining wildcard matches towards the bottom.
> 
> Far from it, this patch helps users make use of the fact that the Host
> list is in first match order. Very briefly put, what it lets you do is
> have ssh also try to match the first HostName entry from a matching
> Host stanza against any subsequent Host stanzas. Without this patch,
> if you had a stanza like
> 
> 	Host myhost
> 	     HostName myhost.foo.bar
> 
> the command "ssh myhost" would not have ssh match against the stanza
> 
> 	Host *.foo.bar
> 	     Foo1 Bar1
> 
> You could argue that I could just setup the "search" option in
> resolv.conf. But what if I have hosts outside of my local domain, or
> my administrator doesn't give me edit writes to /etc/resolv.conf? You
> could also argue that I could change this wildcard to
> 
> 	Host *.foo.bar myhost
> 	     Foo1 Bar1
> 
> but this quickly becomes unmanageable with complex config files, as my
> example below shows.
> 
> > I've been doing this for ages without needing yet another option.
> > Unless your description isn't fully explaining why we need this
> > option.
> 
> Maybe my example wasn't clear. Imagine you have 510 boxes split across
> two networks; 255 are in a student lab, and the remaining 255 are in a
> professor lab. Let's make things dramatic and imagine you have
> settings for each one of these machines, and settings for each lab,
> and settings for both labs. You want to have an alias for each host,
> for example, you want to be able to go "ssh slab1" to connect to
> "lab1.student.lab" (for the sake of simplicity, I've just numbered
> things and one could just use a "slab*" wildcard, but let's keep in
> mind cases where this wouldn't work). Under the current ssh_config,
> you'd have something that looked like:
> 
> 	#### BEGIN CURRENT SSH_CONFIG ####
> 	VisualHostKey yes
> 
> 	Host slab1
> 	     User slab1
> 	     HostName lab1.student.lab
> 
> 	## Repeat for slab{2..254}
> 
> 	Host slab255
> 	     User slab255
> 	     Hostname lab255.student.lab
> 
> 	Host plab1
> 	     User plab1
> 	     HostName lab1.professor.lab
> 
> 	## plab{2..254}
> 
> 	Host plab255
> 	     User plab255
> 	     HostName lab255.professor.lab
> 
> 	# Insert whatever other hosts you know of
> 
> 	Host *.student.lab slab1 slab2 ... slab255
> 	     IdentityFile ~/.ssh/id_ecdsa.slab
> 	     UserKnownHostsFile ~/.ssh/known_hosts.d/student.lab
> 
> 	Host *.professor.lab plab1 plab2 ... plab255
> 	     IdentityFile ~/.ssh/id_ecdsa.plab
> 	     UserKnownHostsFile ~/.ssh/known_hosts.d/professor.lab
> 
> 	Host *.lab slab1 slab2 ... slab255 plab1 plab2 ... plab255
> 	     VisualHostKey no
> 	     ForwardX11 yes
> 	#### END CURRENT SSH_CONFIG ####
> 
> Note that the Host lines matching each lab will be 256 entries long,
> and the one matching both labs will be 511 entries long. Now imagine
> being able to match the corresponding HostName entry against a
> wildcard. With my patch, your config would look like:
> 
> 	#### BEGIN PROPOSED SSH_CONFIG ####
> 	MatchHostName yes
> 	# ^^^^ This is the magic line
> 	VisualHostKey yes
> 
> 	Host slab1
> 	     User slab1
> 	     HostName lab1.student.lab
> 
> 	## Repeat for slab{2..254}
> 
> 	Host slab255
> 	     User slab255
> 	     Hostname lab255.student.lab
> 
> 	Host plab1
> 	     User plab1
> 	     HostName lab1.professor.lab
> 
> 	## plab{2..254}
> 
> 	Host plab255
> 	     User plab255
> 	     HostName lab255.professor.lab
> 
> 	# Insert whatever other hosts you know of
> 
> 	Host *.student.lab
> 	     IdentityFile ~/.ssh/id_ecdsa.slab
> 	     UserKnownHostsFile ~/.ssh/known_hosts.d/student.lab
> 
> 	Host *.professor.lab
> 	     IdentityFile ~/.ssh/id_ecdsa.plab
> 	     UserKnownHostsFile ~/.ssh/known_hosts.d/professor.lab
> 
> 	Host *.lab
> 	     VisualHostKey no
> 	     ForwardX11 yes
> 	#### END PROPOSED SSH_CONFIG ####
> 
> In my opinion, this proposed ssh_config is considerably cleaner, and
> easier to understand and manage. My own interest in this patch is
> similar. I have a couple dozen hosts I connect to across three
> domains. I'd like to be able to connect to each of these by using the
> subdomain (set with HostName in a Host stanza matching the subdomain),
> while still having the domain wildcard matched.
> 
> As for implementation, the "MatchHostName yes" doesn't need to be
> enabled globally as in the example above. It can be used only for
> certain aliases. Moreover, my patch only takes effect once there's
> been a HostName entry in a matching Host stanza and MatchHostName has
> been enabled.
> 
> I hope this helps, please let me know if you have any questions,
> concerns, or comments.
> 

As you imply above, this could be addressed by using a consistent scheme
for your aliaes. Thus, the latter portions of your configuration could
use globbing:

	Host *.student.lab slab*
		...

	Host *.professor.lab plab*
		...

	Host *.lab plab* slab*
		...

Another approach which could address similar issues would be support for
subnet configuration, as requested in bz#1169[1]. 

-- 
Iain Morgan

[1] https://bugzilla.mindrot.org/show_bug.cgi?id=1169

More information about the openssh-unix-dev mailing list