On Mon, 3 Nov 2014, Robin McCorkell wrote: > When using the CanonicalizeHostname and CanonicalDomains directives, the > options parsed before the hostname is canonicalized cannot be overridden by > more specific blocks after canonicalization. For example: > > CanonicalizeHostname yes > CanonicalDomains foo.bar.com > > Host *.foo.bar.com > GSSAPIAuthentication yes > > Host * > GSSAPIAuthentication no > > If connecting to 'srv.foo.bar.com', then GSSAPI authentication is enabled. > But connecting to 'srv', even though it is canonicalized correctly to ' > srv.foo.bar.com', does not enable GSSAPI authentication as the 'Host *' > block is parsed before canonicalization and cannot be then overridden by > the more specific block. That's expected. With CanonicalizeHostname enabled, the config file is parsed twice: once with the short name (and to pick up the CanonicalizeHostname directive itself) and then again with the canonicalised name. OpenSSH 6.8 will offer more control here using some extensions to the Match keyword: a new "canonical" criteria that causes it to match only during the second pass: CanonicalizeHostname yes CanonicalDomains foo.bar.com Match canonical *.foo.bar.com GSSAPIAuthentication yes Match canonical * GSSAPIAuthentication no Sorry I didn't think of this sooner :/ -d _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev