Overview: - When using CanonicalizeHostname, any configuration variables read before the hostname canonicalization will be persisted after the configuration is reloaded. Steps to reproduce: 1) Create a ~/.ssh/config file containing the following: CanonicalDomains bar.baz CanonicalizeHostname yes Host foo.bar.baz User alice Host * User bob 2) Attempt to connect to "foo" (ssh foo) Expected result: - Connection attempt to foo.bar.baz with username alice Actual result: - Connection attempt to foo.bar.baz with username bob Build date & hardware: - OpenSSH_8.4p1, OpenSSL 1.1.1h 22 Sep 2020 on Linux 5.9.11 x86_64 Additional builds and platforms: - OpenSSH_for_Windows_7.7p1, LibreSSL 2.6.5 on Windows 10 20H2 19042.804 Additional information: - This is most likely caused by the user variable not being cleared after the configuration is reloaded due to CanonicalizeHostname. Since User is set to "bob" in the first pass due to matching Host * when the hostname has not yet been resolved into a FQDN, User is not set to "alice" during the second pass when the FQDN matches the Host block.
This is intentional - per ssh_config(1): 1) configuration parsing is "first match wins" 2) CanonicalizeHostname causes the config files to be re-parsed after the names have expanded. Fortunately, you can control which parsing pass options get applied in via the "canonical" and "final" predicates to the Match directive. In particular, if you replace "Host *" with "Match canonical all" then your config will do what you expect.
closing resolved bugs as of 8.6p1 release