On Thu, Jun 08, 2023 at 10:57:37PM +0200, Ludovic Courtès wrote:
> Hello!
>
> Efraim Flashner <efraim@flashner.co.il> skribis:
>
> >>From man 5 ssh_config:
> > Unless noted otherwise, for each parameter, the first obtained value
> > will be used.
> >
> > We want to allow falling through to the first actual user defined value.
>
> What do you mean by “first actual user-defined value”? This service is
> what generates all the “user-defined values”, no?
Right now my ~/.ssh/config has
Host do1-tor
Hostname <insert tor address>
IdentityFile ~/.ssh/id_ed25519
Host *.onion *-tor
#ProxyCommand
/gnu/store/dgvybjrj154f4cyfbkrbqyirv5gd8ic2-netcat-openbsd-1.218-2/bin/nc -X 5
-x localhost:9050 %h %p
ProxyCommand /home/efraim/bin/openbsd-netcat -X 5 -x localhost:9050 %h %p
ControlPath ${XDG_RUNTIME_DIR}/%r@%k-%p
Compression yes
The way the ssh config is read is that `ssh do1-tor` first matches
do1-tor and then also matches *-tor, so I can factor our ProxyCommand,
ControlPath and Compression for use with the other *-tor Hosts I have
listed.
This configuration could be
(openssh-host (name "do1-tor")
(host-name <insert tor address>)
(identity-file "~/.ssh/id_ed25519"))
(openssh-host (name "*-onion *-tor)
(compression? #t)
(proxy
(proxy-command ...))
(extra-content " ControlPath ...\n"))
If this is all I enter, then my .ssh/config is generated like this:
Host do1-tor
Hostname <insert tor address>
IdentityFile ~/.ssh/id_ed25519
ForwardX11 no
ForwardX11Trusted no
ForwardAgent no
Compression no
Host *.onion *-tor
ForwardX11 no
ForwardX11Trusted no
ForwardAgent no
Compression yes
ProxyCommand /home/efraim/bin/openbsd-netcat -X 5 -x localhost:9050 %h %p
ControlPath ${XDG_RUNTIME_DIR}/%r@%k-%p
Compression might default to no, but in my hand crafted .ssh/config I've
set it to yes for *-tor Hosts. Forward* might all default to no, and
it's not set anywhere, but being explicit about the default here could
cause problems if I want X11 forwarding across an entire range of hosts,
not just individual ones.
> Overall my take is that default values should be specified in our code
> (as default values of configuration record fields) rather than left
> unspecified. I think this is clearer and more predictable than relying
> on upstream’s default values.
In general this is a good plan, but here it actually interferes with the
expected configuration output. 'Fall through' is the default, not the
actual default for each of the individual configuration options. They
only get set if that field isn't set by any of the possibly multiple
configuration matches set it first.
--
Efraim Flashner <efraim@flashner.co.il> רנשלפ םירפא
GPG key = A28B F40C 3E55 1372 662D 14F7 41AA E7DC CA3D 8351
Confidentiality cannot be guaranteed on emails sent or received unencrypted
signature.asc
Description: PGP signature
--- End Message ---