bugzilla-daemon at bugzilla.mindrot.org
2018-Sep-18 09:27 UTC
[Bug 2906] New: Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Bug ID: 2906 Summary: Need something like 'Match finalpass' Product: Portable OpenSSH Version: 7.7p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: ssh Assignee: unassigned-bugs at mindrot.org Reporter: zenczykowski at gmail.com If canonicalization is on this should behave like 'Match canonical'. If it isn't it should behave like 'Match all' or 'Host *'. See https://bugzilla.redhat.com/show_bug.cgi?id=1630166 for extra details, but: Basically if system /etc/ssh/ssh_config has a: Host * Key foo clause, then this trumps any ~/.ssh/config: Host blah.org Key bar setting if user attempts to 'ssh blah' (where blah canonicalizes to blah.org). This is because of config file parse order: first ~/.ssh/config which doesn't match on non-canonical hostname, then /etc/ssh/ssh_config which matches on * and sets Key=foo. Then on re-parse with canonical hostname user's Host blah.org matches, but it's too late to set Key=bar because it's already been set. (perhaps related, but perhaps there should also be some sort of special handling for 'Key +bar' or 'Key -bar' to treat it as append/remove instead of override, but that would be far more difficult to implement) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Sep-18 09:29 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #1 from Maciej ?enczykowski <zenczykowski at gmail.com> --- (and yeah I realize that there's a problem if canonicalization gets turned on *after* the match has already been analyzed - oh well, don't do that) -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Sep-21 04:17 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |djm at mindrot.org Assignee|unassigned-bugs at mindrot.org |djm at mindrot.org Status|NEW |ASSIGNED --- Comment #2 from Damien Miller <djm at mindrot.org> --- Created attachment 3179 --> https://bugzilla.mindrot.org/attachment.cgi?id=3179&action=edit Match final Here's an implementation of a "Match final" criterion. If parsing encounters a "Match final" during the initial parse then re-parsing of the configuration files will be forced, regardless of whether CanonicalizeHostname is enabled. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Oct-20 21:59 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #3 from Maciej ?enczykowski <zenczykowski at gmail.com> --- What are the next steps here? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Nov-09 03:52 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Blocks| |2915 Referenced Bugs: https://bugzilla.mindrot.org/show_bug.cgi?id=2915 [Bug 2915] Tracking bug for 8.0 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Nov-23 05:09 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |FIXED --- Comment #4 from Damien Miller <djm at mindrot.org> --- This has been committed and, barring catastrophe, will be in OpenSSH 8.0. commit 9e34e0c59ab04514f9de9934a772283f7f372afe (HEAD -> master, origin/master, origin/HEAD) Author: djm at openbsd.org <djm at openbsd.org> Date: Fri Nov 23 05:08:07 2018 +0000 upstream: add a ssh_config "Match final" predicate Matches in same pass as "Match canonical" but doesn't require hostname canonicalisation be enabled. bz#2906 ok markus OpenBSD-Commit-ID: fba1dfe9f6e0cabcd0e2b3be13f7a434199beffa -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Nov-23 06:46 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #5 from Maciej ?enczykowski <zenczykowski at gmail.com> --- Thank you! -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-14 14:02 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jjelen at redhat.com Status|RESOLVED |CLOSED --- Comment #6 from Jakub Jelen <jjelen at redhat.com> --- FYI, there is a twist with this option, if we use it in combination with Host blocks, that worked before. They do not follow these flags and are matched also in the second pass, which can cause unexpected results. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-14 14:26 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|CLOSED |RESOLVED -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-14 16:25 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Jakub Jelen <jjelen at redhat.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|FIXED |--- Status|RESOLVED |REOPENED --- Comment #7 from Jakub Jelen <jjelen at redhat.com> --- My bad. The Match blocks are still matched even during the final pass, which is not expected from the description in the manual page. The second pass should not match unless there is the final keyword. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-18 04:48 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #8 from Damien Miller <djm at mindrot.org> --- AFAIK that's working as intended. All match and host blocks will match in the final pass unless told not to (Match !finalpass). This is the same behaviour as "Match canonical" has had since it was introduced. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-19 10:23 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #9 from Jakub Jelen <jjelen at redhat.com> --- Well, that probably makes sense, but with configurations like following (for simplicity rewritten from Host blocks): Match host ext Hostname bastion.ext.example.com Match host *.ext.example.com ProxyCommand ssh -q ext -W %h:%p Match final ... Connecting to host x.ext.example.com causes a infinite recursion of spanning ssh processes, while it works fine without the last match block. I am wondering, if the "match final" should not behave less like the canonical so in the second path, the host would be matched really against the host that was used on commandline (like originalhost) to avoid breaking existing configurations. -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-19 10:40 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #10 from Maciej ?enczykowski <zenczykowski at gmail.com> --- Is this perhaps not just a bug that ProxyCommand can apparently somehow trigger more than once? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-19 10:43 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #11 from Maciej ?enczykowski <zenczykowski at gmail.com> --- Hmm or perhaps: Match host ext Hostname bastion.ext.example.com should actually be: Match host ext Hostname bastion.ext.example.com ProxyCommand none -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Feb-19 10:49 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 --- Comment #12 from Maciej ?enczykowski <zenczykowski at gmail.com> --- btw. are you sure your example is correct? Perhaps you meant to have: Match host *.ext.example.com ProxyCommand ssh -q ext -W %h:%p Match host ext Hostname bastion.ext.example.com Match final ... (ie. opposite order) Because - while I haven't tested it - by my naive interpretation of the matching rules your example should have also resulted in infinite ssh's. For your example: x.ext.example.com triggers the proxycommand, so we ssh to ext ext gets converted to bastion.ext.example.com which then triggers the proxycommand (due to ordering) Match final should not be needed. With the ordering I gave above, I think Match final does introduce the problem, but then I think adding ProxyCommand none to the host ext block still solves it... ??? -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Apr-02 23:08 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |FIXED Status|REOPENED |RESOLVED --- Comment #13 from Damien Miller <djm at mindrot.org> --- IMO the behaviour is consistent, so I'll close this -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:03 UTC
[Bug 2906] Need something like 'Match finalpass'
https://bugzilla.mindrot.org/show_bug.cgi?id=2906 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #14 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.