Bug#743203: Address canonicalization is suboptimal
Package: openssh-client
Version: 1:6.6p1-1
Severity: minor
I'm trying hard to use address canonicalization in my favor.
6.6 adds re-parsing if hostname is changed as a result of it, but that doesn't
make canonicalization generally more useful as I hoped.
Assume the following ssh_config:
===============
Host *
CanonicalizeHostname yes # enable canonicalization
Host hostname
CanonicalDomains hostname.domain # make hostname fully qualified
Host *.domain # general settings for the domain name
User exception
Host *
User normal # fallback
===============
Since the first settings that matches wins, that what happens:
- second rule matches, changes hostname
- fourth rule matches, sets fallback username
- reparsing
- first/second/third rule matches, username already set so setting is skipped
With this first-match-wins/reparsing logic, it's impossible to have a common
fallback block. Thus, to have exceptions, you must put them directly in the
first matching block (in this case, rule 2), thus defeating the purpose of
re-parsing.
I'm wondering why CanonicalDomains cannot *immediately* update the processed
hostname for Host/Match blocks, so that rule 3 would match on the *first* scan,
correctly setting the exception, without the need of a second pass.
Not to mention that [verified using ssh -v] /etc/ssh/ssh_config options are
applied before the rescan, meaning that global options (declared as Host *)
will always override user's exceptions (thus minor priority of this report as
opposed to wishlist).
Reply to: