Hi list,
I have looked over the documentation and done some experiments,
and I'm now really confused about how this supposed to work so I'm
appealing to you. If this is a faq perhaps I can write it up in a
patch to the existing faq.
I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the
4.x manpages but haven't tried that version of the software, the
manpage looks no different.
What I want to do is write an /etc/ssh/ssh_config that allows X11
forwarding to _some_ hosts by default, and not others, viz:
ssh baz X11 forwarded
ssh baz.my.domain X11 forwarded
ssh biff.notmydom.com not forwarded
ie I want to trust hosts in my domain but not outside it.
I tried various orderings of
Host *
ForwardX11 yes
Host *.my.domain
ForwardX11 yes
Host *.*
ForwardX11 no
but couldn't find anything that seemed to work as desired.
In particular, it seems it is not possible to override X11 forwarding
again once one of the entries has turned it on. Take the notmydomain.com
case - it matches *, then matches *.*, but X11 forwarding is still
allowed. I presume this is due to the first match?
Is this the way it is supposed to work? If so, why?
Kind regards
Vincent McIntyre vmcintyr at atnf.csiro.au
Australia Telescope National Facility, CSIRO voice:+61-2-9372-4643
PO Box 76, Epping, NSW 1710, AUSTRALIA fax:+61-2-9372-4442
Vincent McIntyre wrote:> Hi list, > > I have looked over the documentation and done some experiments, > and I'm now really confused about how this supposed to work so I'm > appealing to you. If this is a faq perhaps I can write it up in a > patch to the existing faq. > > I'm running ssh 3.8.1p1 on Debian Sarge. I looked briefly at the > 4.x manpages but haven't tried that version of the software, the > manpage looks no different. > > What I want to do is write an /etc/ssh/ssh_config that allows X11 > forwarding to _some_ hosts by default, and not others, viz: > ssh baz X11 forwarded > ssh baz.my.domain X11 forwarded > ssh biff.notmydom.com not forwarded > ie I want to trust hosts in my domain but not outside it. > > I tried various orderings of > Host * > ForwardX11 yes > Host *.my.domain > ForwardX11 yes > Host *.* > ForwardX11 no > > but couldn't find anything that seemed to work as desired. > In particular, it seems it is not possible to override X11 forwarding > again once one of the entries has turned it on. Take the notmydomain.com > case - it matches *, then matches *.*, but X11 forwarding is still > allowed. I presume this is due to the first match? > > Is this the way it is supposed to work? If so, why?Yes, the config keywords are first-match. Why? Dunno, but it's been that way for a long time. It does mean you can use a leading "Host *" block as a global override, and a trailing "Host *" as a global default. This ought to do what you want: # match local domain Host *.my.domain ForwardX11 yes # match any other qualified domain Host *.* ForwardX11 no # match remaining (local) hosts Host * ForwardX11 yes -- Darren Tucker (dtucker at zip.com.au) GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69 Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement.
Apparently Analagous Threads
- [OpenSSH] sample line about ForwardX11 in ssh_config file is not fit to default setting
- Patch to add "warn" value to ForwardX11 and ForwardAgent
- OpenSSH_2.9.9p2 and client config
- smartcard login - multiple UPN suffixes
- OpenSSH v3.8p1 fails to interoperate for GSSAPI (Kerberos) and X-Windows