Re: CanonicalizeHostname issues with multiple config blocks

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



On Mon, 3 Nov 2014, Robin McCorkell wrote:

> When using the CanonicalizeHostname and CanonicalDomains directives, the
> options parsed before the hostname is canonicalized cannot be overridden by
> more specific blocks after canonicalization. For example:
> 
> CanonicalizeHostname yes
> CanonicalDomains foo.bar.com
> 
> Host *.foo.bar.com
> GSSAPIAuthentication yes
> 
> Host *
> GSSAPIAuthentication no
> 
> If connecting to 'srv.foo.bar.com', then GSSAPI authentication is enabled.
> But connecting to 'srv', even though it is canonicalized correctly to '
> srv.foo.bar.com', does not enable GSSAPI authentication as the 'Host *'
> block is parsed before canonicalization and cannot be then overridden by
> the more specific block.

That's expected. With CanonicalizeHostname enabled, the config file is
parsed twice: once with the short name (and to pick up the
CanonicalizeHostname directive itself) and then again with the canonicalised
name.

OpenSSH 6.8 will offer more control here using some extensions to the
Match keyword: a new "canonical" criteria that causes it to match only
during the second pass:

CanonicalizeHostname yes
CanonicalDomains foo.bar.com

Match canonical *.foo.bar.com
    GSSAPIAuthentication yes
Match canonical *
    GSSAPIAuthentication no

Sorry I didn't think of this sooner :/

-d

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev




[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux