[Bug 3652] New: KnownHostsCommand should expand tokens and environment variables on first argument

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Wed Jan 10 20:18:30 AEDT 2024 

https://bugzilla.mindrot.org/show_bug.cgi?id=3652

            Bug ID: 3652
           Summary: KnownHostsCommand should expand tokens and environment
                    variables on first argument
           Product: Portable OpenSSH
           Version: 9.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: mindrot.bugzilla at accounts.evybongers.nl

Per ssh_config(5), KnownHostsCommand accepts tokens and will expand
environment variables for its arguments.

> Arguments to KnownHostsCommand accept the tokens described in the “TOKENS” section.

> Arguments to some keywords can be expanded at runtime from environment variables on the client by enclosing them in ${}, for example ${HOME}/.ssh would refer to the user's .ssh directory. [...] The keywords CertificateFile, ControlPath, IdentityAgent, IdentityFile, KnownHostsCommand, and UserKnownHostsFile support environment variables.

In the implementation[1] the first argument (script or binary to be
invoked) is excluded from being parsed. While the documentation quoted
above can be interpreted such that this is the intended behaviour, the
documentation for other options uses the same phrasing and will accept
tokens and environment variables on the first (or only) argument, for
example ControlPath, which only accepts a single argument as value.

> Arguments to ControlPath may use the tilde syntax to refer to a user's home directory, the tokens described in the “TOKENS” section and environment variables as described in the “ENVIRONMENT VARIABLES” section.

Therefore, I'm inclined to believe that first argument to
KnownHostsCommand should be parsed for tokens and environment
variables.

A use case for using a token or environment variable for this keyword
would be to invoke a script or command that is found relative to a
user's home directory in a portable manner, for example:
${HOME}/.local/bin/get_host_keys <args> (or the token equivalent
%d/.local/bin/get_host_keys <args>)

[1]
https://github.com/openssh/openssh-portable/blob/master/sshconnect.c#L885-L898


P.s.: I'm not sure about the severity of this issue, which is why I
listed it as enhancement.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list