openssh unix dev - Jan 2021 - Feature Request: Token support on Include config directive

I've got a feature request which is (hopefully?) straightforward, which is
that we'd like to be able to use tokens (%n specifically for the original
remote hostname) as a token on the Include directive. This would allow us
to do something like:

Match Host *.corp
    Include ~/.local/share/my_corp_data/managed_ssh_configs/%n/config

In this example I imagine that some other process is managing (downloading
and updating) SSH configs on the machine, and this would allow us to have
just a single line for using any number of such configs.

To be even more transparent, we're actually being even more dynamic than
that by (ab)using "Match exec" functionality to do something similar
to
Lyft's blessclient integration [1] which invokes a heavyweight script that
not only does some custom hostname resolution but also fetches some
credentials (similar to blessclient) and writes out a just-in-time config
which includes the resolved hostname, pointers to the credentials, what
jumphost to use (which depends on many factors of the resolved host), etc.
Today we write all this at a well-known path and just have an Include
directive pointing to that well-known path, but this is incompatible with
parallel invocations of ssh. Being able to parameterize what path to
Include would save us a lot of trouble. :)


[1] https://github.com/lyft/python-blessclient

On Sun, 24 Jan 2021 at 07:57, Ian Haken <ihaken at netflix.com>
wrote:
> I've got a feature request which is (hopefully?) straightforward, which
is
> that we'd like to be able to use tokens (%n specifically for the
original
> remote hostname) as a token on the Include directive.
Unfortunately it's not straightforward.

Include directives are read and processed as the config file is parsed
(readconf.c, look for "case oInclude").  Percent-token expansion
happens after the config is fully parsed, immediately before it's used
(ssh.c, look for the percent_dollar_expand calls).  It would probably
be possible to perform some kind of expansion when Include is parsed,
but it would have different semantics compared to all of the other
expansions, eg

    UserKnownHostsFile %r/bar
    User foo

does expand UserKnownHostsFile, to foo/bar but

    Include %r/bar
    User foo

would not.

-- 
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
    Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.