Bug#743434: openssh-client: wildcard host precedence and CanonicalizeHostname

To: Russ Allbery <rra@debian.org>
Cc: 743434@bugs.debian.org
Subject: Bug#743434: openssh-client: wildcard host precedence and CanonicalizeHostname
From: sergio <mailbox@sergio.spb.ru>
Date: Thu, 03 Apr 2014 03:29:41 +0400
Message-id: <[🔎] 533C9D65.8000204@sergio.spb.ru>
Reply-to: sergio <mailbox@sergio.spb.ru>, 743434@bugs.debian.org
In-reply-to: <[🔎] 87y4znwizx.fsf@windlord.stanford.edu>
References: <[🔎] 20140402164641.11821.39712.reportbug@transient.oktetlabs.ru> <[🔎] 87y4znwizx.fsf@windlord.stanford.edu>

On 04/03/2014 12:53 AM, Russ Allbery wrote:


> The rule, rather, is that the first match takes precedence.  You want to
> write this as ... and then it should work as you expect.

Sorry. The real buggy combination is:

/etc/ssh/ssh_config:
host *
  GSSAPIDelegateCredentials no


~/.ssh/config:
host *
  CanonicalizeHostname yes
  CanonicalDomains mydomain.com

host foo.mydomain.com
        GSSAPIKeyExchange yes
        GSSAPIAuthentication yes
        GSSAPIDelegateCredentials yes
        GSSAPIRenewalForcesRekey yes


% ssh foo klist
klist: No credentials cache found (ticket cache FILE:/tmp/krb5cc_UID)


If I comment out GSSAPIDelegateCredentials in /etc/ssh/ssh_config or do
ssh foo.mydomain.com I get forwarded credentials.

-- 
sergio.

Reply to:

Follow-Ups:
- Bug#743434: openssh-client: wildcard host precedence and CanonicalizeHostname
  - From: Russ Allbery <rra@debian.org>

References:
- Bug#743434: openssh-client: wildcard host precedence
  - From: mailbox@sergio.spb.ru
- Bug#743434: openssh-client: wildcard host precedence
  - From: Russ Allbery <rra@debian.org>

Prev by Date: Bug#743434: openssh-client: wildcard host precedence
Next by Date: Bug#743434: openssh-client: wildcard host precedence and CanonicalizeHostname
Previous by thread: Bug#743434: openssh-client: wildcard host precedence
Next by thread: Bug#743434: openssh-client: wildcard host precedence and CanonicalizeHostname
Index(es):
- Date
- Thread