upstream commit

use HostKeyAlias if specified instead of hostname for
matching host certificate principal names; bz#2728; ok dtucker@

Upstream-ID: dc2e11c83ae9201bbe74872a0c895ae9725536dd

1 files changed, 19 insertions, 5 deletions

diff --git a/sshd.8 b/sshd.8
index 05368f94..1b18e45b 100644
--- a/sshd.8
+++ b/sshd.8
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.289 2017/05/07 23:12:57 djm Exp $
-.Dd $Mdocdate: May 7 2017 $
+.\" $OpenBSD: sshd.8,v 1.290 2017/06/24 05:35:05 djm Exp $
+.Dd $Mdocdate: June 24 2017 $
 .Dt SSHD 8
 .Os
 .Sh NAME
@@ -652,9 +652,23 @@ Hostnames is a comma-separated list of patterns
 and
 .Ql \&?
 act as
-wildcards); each pattern in turn is matched against the canonical host
-name (when authenticating a client) or against the user-supplied
-name (when authenticating a server).
+wildcards); each pattern in turn is matched against the host name.
+When
+.Nm sshd
+is authenticating a client, such as when using
+.Cm HostbasedAuthentication ,
+this will be the canonical client host name.
+When
+.Xr ssh 1
+is authenticating a server, this will be the either the host name
+given by the user, the value of the
+.Xr ssh 1
+.Cm HostkeyAlias
+if it was specified, or the canonical server hostname if the
+.Xr ssh 1
+.Cm CanonicalizeHostname
+option was used.
+.Pp
 A pattern may also be preceded by
 .Ql \&!
 to indicate negation: if the host name matches a negated