https://bugzilla.mindrot.org/show_bug.cgi?id=3544
Bug ID: 3544 Summary: Support CIDR notation for host pattern matching Product: Portable OpenSSH Version: 9.1p1 Hardware: All OS: All Status: NEW Severity: enhancement Priority: P5 Component: Miscellaneous Assignee: unassigned-b...@mindrot.org Reporter: b...@square-r00t.net (I considered putting this in ssh-keygen, but it's not just for known_hosts.) It would be fantastic if CIDR notation/matching for IPv4 and IPv6 address prefixes could be supported in "Host" matchers for ssh_config and for the host matching in (ssh_)known_hosts. I bumped into this the other day and assumed that because the AllowUsers and AllowGroups scoping allows for CIDR prefixes, that the same would be true for known_hosts. This would be immensely beneficial for deploying system-wide known_hosts across my fleet, namely because GitHub git server addresses all use the same hostkeys (for sufficient reason, I suppose) but encompass *many* different addresses/networks[0]. While I can certainly glob the addresses, globbing/wildcarding is a particularly clumsy and perhaps outdated method of matching and, in this case, leads to multiple host matchers (since one can't effectively glob a /22, for instance, without splitting it into 4x /24's) when one could suffice. Using CIDR prefixes has the additional benefit of potentially faster match processing, since comparison could be done via bitshifting/bitwise operations et. al. [0] https://api.github.com/meta (Refer to the "git" key.) -- You are receiving this mail because: You are watching the assignee of the bug. _______________________________________________ openssh-bugs mailing list openssh-bugs@mindrot.org https://lists.mindrot.org/mailman/listinfo/openssh-bugs