Bug 1745

Summary: Matching @cert-authority entries when using unqualified hostnames
Product: Portable OpenSSH Reporter: Iain Morgan <imorgan>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: enhancement CC: djm
Priority: P2    
Version: -current   
Hardware: Other   
OS: Other   
Bug Depends on:    
Bug Blocks: 1708    

Description Iain Morgan 2010-03-27 10:07:15 AEDT 
When connecting to a server in the same DNS domain using an unqualified
hostname, it can be problematic to find a safe pattern to allow an
@cert-authority record to validate a host certificate.

It would make host certificates much more useful if either the
hostname of the server were canonicalized before matching against the
@cert-authority record, or (as suggested by Damien) the ability to
match against the IP address using CIDR notation were added.
Comment 1 Damien Miller 2010-07-19 13:19:02 AEST 
The change to support %h expansion in ssh_config Hostname options has been checked in and will be in openssh-5.6. This should allow the hacky approach that we discussed on the mailing list:

Host *.*
  Hostname %h

Host *
  Hostname %h.my.domain.org

Without requiring new API from the resolver, I can't think of a better way unfortunately.
Comment 2 Darren Tucker 2010-08-27 10:28:08 AEST 
With the release of OpenSSH 5.6p1 this bug is now considered closed.  If you have further problems please reopen or file a new bug as appropriate.