openssh bugs - Mar 2020 - [Bug 3140] New: support a token for XDG_RUNTIME_DIR

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

            Bug ID: 3140
           Summary: support a token for XDG_RUNTIME_DIR
           Product: Portable OpenSSH
           Version: 8.2p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: dkg at fifthhorseman.net

In some situations, users will want to forward a unix domain socket
that lives in XDG_RUNTIME_DIR. for example, the default GnuPG
gpg-agent's  `agent-socket` lives in $XDG_RUNTIME_DIR/S.gpg-agent.

But this isn't known by the client when setting up a RemoteForward.

If we could use tokens in RemoteForward (see #3014), then one token
that would be really nice to have would be this location.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

Daniel Kahn Gillmor <dkg at fifthhorseman.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Depends on|                            |3014


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3014
[Bug 3014] [Enhancement] Tokens for RemoteForward - for unix sockets
-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |dtucker at dtucker.net

--- Comment #1 from Darren Tucker <dtucker at dtucker.net> ---
I don't think this is something we want to do.  At least not as a
%-TOKEN.

 - there's no guarantee that the environment variable will exist at
all.  Currently every attribute is guaranteed to exist, so the
semantics when it doesn't would not be clear (expand to nothing?  leave
unexpanded?  throw an error?).
 - we don't currently do environment variables here and this opens a
whole other can of worms^W environment variables.  There's only so many
letters on the keyboard.
 - ssh and sshd are command line applications not desktop applications.

With the functionality added in #3014 you can construct the path in the
client's config file if you know the scheme it's using (eg
"RemoteForward /foo/bar /var/user/%i/baz") or look it up at runtime
and
add the forward using ControlMaster (which also works if you want the
inverse direction, if you happen to want that):

$ echo 'ControlPath %d/.ssh/%C' >>~/.ssh/config
$ ssh -Nf -o controlmaster=yes server
$ remdir=$(ssh server 'echo $XDG_RUNTIME_DIR')
$ ssh -O forward -oRemoteForward="$remdir/S.gpg-agent /foo/bar" server

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140
Bug 3140 depends on bug 3014, which changed state.

Bug 3014 Summary: [Enhancement] Tokens for RemoteForward - for unix sockets
https://bugzilla.mindrot.org/show_bug.cgi?id=3014

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

--- Comment #2 from Darren Tucker <dtucker at dtucker.net> ---
Created attachment 3375
  --> https://bugzilla.mindrot.org/attachment.cgi?id=3375&action=edit
allow environment variables in path config keywords

This adds support for shell-style ${VAR} keyword expansions in config
keywords that take paths.  It applies on top of OpenBSD -current.  Your
use case would be something like this in ~/.ssh/config:

RemoteForward ${XDG_RUNTIME_DIR}/S.gpg-agent
${XDG_RUNTIME_DIR}/S.gpg-agent

There's a few potential problems with this:
 - the expansions are exclusively client side and I'm not sure the
server should ever do this type of expansion.
 - there'a existing environment variable support in IdentityAgent and
ForwardAgent which has a different, more limited format.  Right now the
patch supports both.  I think we'd be better off removing the old
format since having two is potentially confusing, but that's a user
visible potentially incompatible change.
 - I am unsure if this is generally worth the extra complexity and
maintenance or what the other OpenSSH maintainers will think of this.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
             Blocks|                            |3162
            Summary|support a token for         |support environment
                   |XDG_RUNTIME_DIR             |variables in keywords where
                   |                            |possible.
         Resolution|---                         |FIXED

--- Comment #3 from Darren Tucker <dtucker at dtucker.net> ---
Generic environment variable support has been added and will be in the
8.4 release.


Referenced Bugs:

https://bugzilla.mindrot.org/show_bug.cgi?id=3162
[Bug 3162] Tracking bug for 8.4 release
-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3140

Darren Tucker <dtucker at dtucker.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #4 from Darren Tucker <dtucker at dtucker.net> ---
Mass close of all bugs fixed in 8.4 release.

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.