upstream commit

use HostKeyAlias if specified instead of hostname for matching host certificate principal names; bz#2728; ok dtucker@ Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd
author: djm@openbsd.org <djm@openbsd.org> 2017-06-24 05:35:05 +0000
committer: Damien Miller <djm@mindrot.org> 2017-06-24 16:48:39 +1000
commit: 6f8ca3b92540fa1a9b91670edc98d15448e3d765 (patch)
tree: 6c275c536b84349f080d1c4e2388879bd1c4a3f9 /sshd.8
parent: 8904ffce057b80a7472955f1ec00d7d5c250076c (diff)
1 files changed, 19 insertions, 5 deletions
diff --git a/sshd.8 b/sshd.8
index 05368f947..1b18e45b3 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $
+.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
-.Dd $Mdocdate: May 7 2017 $
+.Dd $Mdocdate: June 24 2017 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
 and
 .Ql \&?
 act as
-wildcards); each pattern in turn is matched against the canonical host
+wildcards); each pattern in turn is matched against the host name.
-name (when authenticating a client) or against the user-supplied
+When
-name (when authenticating a server).
+.Nm sshd
+is authenticating a client, such as when using
+.Cm HostbasedAuthentication ,
+this will be the canonical client host name.
+When
+.Xr ssh 1
+is authenticating a server, this will be the either the host name
+given by the user, the value of the
+.Xr ssh 1
+.Cm HostkeyAlias
+if it was specified, or the canonical server hostname if the
+.Xr ssh 1
+.Cm CanonicalizeHostname
+option was used.
+.Pp
 A pattern may also be preceded by
 .Ql \&!
 to indicate negation: if the host name matches a negated
author	djm@openbsd.org <djm@openbsd.org>	2017-06-24 05:35:05 +0000
committer	Damien Miller <djm@mindrot.org>	2017-06-24 16:48:39 +1000
commit	6f8ca3b92540fa1a9b91670edc98d15448e3d765 (patch)
tree	6c275c536b84349f080d1c4e2388879bd1c4a3f9 /sshd.8
parent	8904ffce057b80a7472955f1ec00d7d5c250076c (diff)

diff --git a/sshd.8 b/sshd.8 index 05368f947..1b18e45b3 100644 --- a/sshd.8 +++ b/sshd.8
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $	36	.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
37	.Dd $Mdocdate: May 7 2017 $	37	.Dd $Mdocdate: June 24 2017 $
38	.Dt SSHD 8	38	.Dt SSHD 8
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
652	and	652	and
653	.Ql \&?	653	.Ql \&?
654	act as	654	act as
655	wildcards); each pattern in turn is matched against the canonical host	655	wildcards); each pattern in turn is matched against the host name.
656	name (when authenticating a client) or against the user-supplied	656	When
657	name (when authenticating a server).	657	.Nm sshd
		658	is authenticating a client, such as when using
		659	.Cm HostbasedAuthentication ,
		660	this will be the canonical client host name.
		661	When
		662	.Xr ssh 1
		663	is authenticating a server, this will be the either the host name
		664	given by the user, the value of the
		665	.Xr ssh 1
		666	.Cm HostkeyAlias
		667	if it was specified, or the canonical server hostname if the
		668	.Xr ssh 1
		669	.Cm CanonicalizeHostname
		670	option was used.
		671	.Pp
658	A pattern may also be preceded by	672	A pattern may also be preceded by
659	.Ql \&!	673	.Ql \&!
660	to indicate negation: if the host name matches a negated	674	to indicate negation: if the host name matches a negated