Randall S. Becker wrote:
Given that hostnames are ususally interpreted in a case insensitive
way (and the code actually expects the input to be lowercased
anyway) it might be good to perform the comparisons as such. We can
either make sure match_hostname() receives a lowercased string
indeed or perform the lowercasing there (carefully as not to
introduce side effects).
One question is, whether *any* hostname matching should be case
insensitive or whether originalhost is better left alone (I can
think of reasons for case sensitive matching there, yet they seem
to be bordering on misuse of the code).
I've also opened https://bugzilla.mindrot.org/show_bug.cgi?id=2685
(patch is attached there as well).
While it might be theoretically a good idea, some security
implementations have issues with multiple key pairs specified for a
single delegate user (say 'git') on the same host. I'm not saying
that this is the correct way to do it, but some ~/.ssh/config files
differentiate the same user on the same host with different keys
using Abc.domain vs. AbC.domain, allowing multiple key-pair
identities. Moving to case-insensitive comparisons inside
~/.ssh/config would break this legacy behaviour for which there does
not appear to be good work-arounds in some setups.
Interesting. I suppose this kind of setup uses the `Host` sections - if
used as `Match originalhost` then the attached patch, which doesn't
touch original host. Or, possibly better way - make this an option.
Thanks
Kind regards
Petr
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev