Bug 2538

Summary: openssh v7 config parse regression
Product: Portable OpenSSH Reporter: Pierre Emeriaud <petrus.lt+openssh>
Component: sshAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED WONTFIX    
Severity: normal CC: djm, petrus.lt+openssh
Priority: P5    
Version: 7.1p1   
Hardware: Other   
OS: All   

Description Pierre Emeriaud 2016-02-04 05:16:14 AEDT 
Since 7.0, maybe a bit earlier, this config stopped working: 

42 Host foo*
43   HostName %h.bar.com
  
45 Host *.bar.com
46   ProxyCommand ssh -A anotherhost.otherdomain.com ncat $(echo %h | awk -F. '{print $(NF-2)}') %p 2> /dev/null

Here is what's expected:

$ ssh -vv foo
OpenSSH_6.6.1p1, OpenSSL 1.0.1p-freebsd 9 Jul 2015
debug1: Reading configuration data /home/petrus/.ssh/config
debug1: /home/petrus/.ssh/config line 42: Applying options for foo*
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Hostname has changed; re-reading configuration
debug1: Reading configuration data /home/petrus/.ssh/config
debug1: /home/petrus/.ssh/config line 42: Applying options for foo*
debug1: /home/petrus/.ssh/config line 45: Applying options for *.bar.com
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: Executing proxy command: exec ssh -A anotherhost.otherdomain.com ncat $(echo foo.bar.com | awk -F. '{print $(NF-2)}') 22 2> /dev/null
debug1: identity file /home/petrus/.ssh/id_rsa type 1
debug1: permanently_drop_suid: 1001
debug1: identity file /home/petrus/.ssh/id_rsa-cert type -1
debug1: identity file /home/petrus/.ssh/id_dsa type -1
debug1: identity file /home/petrus/.ssh/id_dsa-cert type -1
debug1: identity file /home/petrus/.ssh/id_ecdsa type -1
debug1: identity file /home/petrus/.ssh/id_ecdsa-cert type -1
debug1: identity file /home/petrus/.ssh/id_ed25519 type -1
debug1: identity file /home/petrus/.ssh/id_ed25519-cert type -1
debug1: Enabling compatibility mode for protocol 2.0
debug1: Local version string SSH-2.0-OpenSSH_6.6.1_hpn13v11 FreeBSD-20140420
debug1: Remote protocol version 2.0, remote software version OpenSSH_3.5p1
debug1: match: OpenSSH_3.5p1 pat OpenSSH_3.* compat 0x01000000
<everything works>

We can see that the two Host statements from config file were applied, whereas with 7.x this is no longer true:

Linux:
$ ssh -vv foo
OpenSSH_7.1p2, OpenSSL 1.0.2e 3 Dec 2015
debug1: Reading configuration data /home/petrus/.ssh/config
debug1: /home/petrus/.ssh/config line 42: Applying options for foo*
debug1: Reading configuration data /etc/ssh/ssh_config
debug1: /etc/ssh/ssh_config line 21: Applying options for *
debug2: ssh_connect: needpriv 0
debug1: Connecting to foo.bar.com [192.0.2.12] port 22.
^C

OpenBSD 5.8:
$ ssh -vv foo
OpenSSH_7.0, LibreSSL 2.2.2
debug1: Reading configuration data /home/petrus/.ssh/config
debug1: /home/petrus/.ssh/config line 42: Applying options for foo*
debug1: Reading configuration data /etc/ssh/ssh_config
debug2: ssh_connect: needpriv 0
debug1: Connecting to foo.bar.com [192.0.2.12] port 22.
^C

foo.bar.com is not directly reachable from the ssh client, but with 7.x the second Host statement from the config file is ignored. A tcpdump confirms that the client tries to connect to foo.bar.com directly.
Comment 1 Damien Miller 2016-02-04 10:39:04 AEDT 
That behaviour (re-parsing configuration files when Hostname directives changed the target host) was a regression that was fixed in OpenSSH 6.8. 

If you want to get that behaviour back and use the re-written hostname, then set CanonicaliseHostname=yes
Comment 2 Pierre Emeriaud 2016-02-04 20:14:41 AEDT 
Thanks Damien, with "CanonicalizeHostname always" this works as 6.6 was. 

Sorry for the noise and keep on hacking.