bugzilla-daemon at mindrot.org
2024-Jan-10 09:18 UTC
[Bug 3652] New: KnownHostsCommand should expand tokens and environment variables on first argument
https://bugzilla.mindrot.org/show_bug.cgi?id=3652
Bug ID: 3652
Summary: KnownHostsCommand should expand tokens and environment
variables on first argument
Product: Portable OpenSSH
Version: 9.6p1
Hardware: All
OS: All
Status: NEW
Severity: enhancement
Priority: P5
Component: ssh
Assignee: unassigned-bugs at mindrot.org
Reporter: mindrot.bugzilla at accounts.evybongers.nl
Per ssh_config(5), KnownHostsCommand accepts tokens and will expand
environment variables for its arguments.
> Arguments to KnownHostsCommand accept the tokens described in the ?TOKENS?
section.
> Arguments to some keywords can be expanded at runtime from environment
variables on the client by enclosing them in ${}, for example ${HOME}/.ssh would
refer to the user's .ssh directory. [...] The keywords CertificateFile,
ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, and
UserKnownHostsFile support environment variables.
In the implementation[1] the first argument (script or binary to be
invoked) is excluded from being parsed. While the documentation quoted
above can be interpreted such that this is the intended behaviour, the
documentation for other options uses the same phrasing and will accept
tokens and environment variables on the first (or only) argument, for
example ControlPath, which only accepts a single argument as value.
> Arguments to ControlPath may use the tilde syntax to refer to a user's
home directory, the tokens described in the ?TOKENS? section and environment
variables as described in the ?ENVIRONMENT VARIABLES? section.
Therefore, I'm inclined to believe that first argument to
KnownHostsCommand should be parsed for tokens and environment
variables.
A use case for using a token or environment variable for this keyword
would be to invoke a script or command that is found relative to a
user's home directory in a portable manner, for example:
${HOME}/.local/bin/get_host_keys <args> (or the token equivalent
%d/.local/bin/get_host_keys <args>)
[1]
https://github.com/openssh/openssh-portable/blob/master/sshconnect.c#L885-L898
P.s.: I'm not sure about the severity of this issue, which is why I
listed it as enhancement.
--
You are receiving this mail because:
You are watching the assignee of the bug.
Possibly Parallel Threads
- [Bug 3643] New: order_hostkeyalgs can't find host-key in KnownHostsCommand if it contains port
- [Bug 1777] KnownHostsCommand
- [Bug 1777] New: KnownHostsCommand
- Fwd: KnownHostsCommand /usr/bin/sss_ssh_knownhosts %H breaks if host entry in ~/ssh/config exists specifying the IP
- [Bug 1777] KnownHostsCommand