我最近从 Trusty (14.04) 更新到 Xenial (16.04),现在使用 ssh 和我的.ssh/config文件时的行为有所不同。
之前:在配置文件中,当第一条规则应用于主机a以将目标Hostname从更改a为b,并且另一条规则应用于 时b,将应用第二条规则。
现在:仅应用第一条规则,忽略第二条规则。
以下是此新行为的一个示例:
# I added two extra names for "127.0.0.1" :
legec@Workstation[.ssh]$ head -2 /etc/hosts
127.0.0.1 localhost
127.0.0.1 foo foo.homesweethome.com
# config file :
legec@Workstation[.ssh]$ cat ~/.ssh/config
# this rule expands "foo" to "foo.homesweethome.com"
Host foo
Hostname foo.homesweethome.com
# this rule sets default port and user for "foo.homesweethome.com" :
Host foo.homesweethome.com
Port 2222
User foobar
# when running ssh :
legec@Workstation[.ssh]$ ssh -v foo
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
# as you can see in the following two lines,
# the first config rule is applied
debug1: Reading configuration data /home/legec/.ssh/config
debug1: /home/legec/.ssh/config line 1: Applying options for foo
# the second rule is skipped
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 19: Applying options for *
debug1: Connecting to foo.homesweethome.com [127.0.0.1] port 22.
debug1: Connection established.
[.. extra debug messages about possible keys to present, protocol setup ... ]
debug1: Next authentication method: password
# I was hoping to see a connection on port 2222,
# and asking the password for user foobar :
[email protected]'s password:
我的 ssh lib 的当前版本是:
legec@Workstation[.ssh]$ ssh -V
OpenSSH_7.2p2 Ubuntu-4ubuntu2.2, OpenSSL 1.0.2g 1 Mar 2016
[编辑]:作为弗克莱姆OpenSSH提醒我, Trusty(14.04)中的版本是6.6。
问题
- ssh 的行为发生了什么变化?
- 在上面的例子中我怎样才能应用这两条规则?
笔记:为了获得更完整的上下文,在我的真实配置文件中,配置如下所示:
Host bar baz
Hostname %h.homesweethome.com
Host foo
Hostname foo.homesweethome.com
Host *.homesweethome.com
User foobar
Port 2222
答案1
这很好地说明了有时候一个人的缺陷就是另一个人的特点……
OpenSSH 在 14.04 中的这种行为实际上是漏洞在 OpenSSH 6.6(Ubuntu 14.04 中的版本)中引入,并在 6.8 中修复(另请参阅变更日志)。正确的做法是
Host bar baz
Hostname %h.homesweethome.com
Host foo
Hostname foo.homesweethome.com
Host foo bar baz *.homesweethome.com
User foobar
Port 2222
或者,也许规范化才是你真正想要的......例如
CanonicalizeHostname yes
CanonicalDomains homesweethome.com
Host *.homesweethome.com
User foobar
Port 2222
... 可以为您工作。与您当前配置的不同之处在于,例如,如果goo.homesweethome.com存在,ssh goo将尝试连接到它。
答案2
我不知道 14.04 和 16.04 之间有什么变化,但这个CanonicalizeHostnames选项似乎起了作用。从man ssh_config:
CanonicalizeHostname
Controls whether explicit hostname canonicalization is performed.
The default, “no”, is not to perform any name rewriting and let
the system resolver handle all hostname lookups. If set to “yes”
then, for connections that do not use a ProxyCommand, ssh(1) will
attempt to canonicalize the hostname specified on the command
line using the CanonicalDomains suffixes and
CanonicalizePermittedCNAMEs rules. If CanonicalizeHostname is
set to “always”, then canonicalization is applied to proxied
connections too.
If this option is enabled, then the configuration files are
processed again using the new target name to pick up any new
configuration in matching Host and Match stanzas.
请注意最后一段。当我添加:
Host *
CanonicalizeHostname yes
我得到了预期的结果:
$ ssh foo
ssh: connect to host foo.homesweethome.com port 2222: Connection refused