Feature Request: Token support on Include config directive

Ian Haken ihaken at netflix.com
Sun Jan 24 07:54:32 AEDT 2021

I've got a feature request which is (hopefully?) straightforward, which is
that we'd like to be able to use tokens (%n specifically for the original
remote hostname) as a token on the Include directive. This would allow us
to do something like:

Match Host *.corp
    Include ~/.local/share/my_corp_data/managed_ssh_configs/%n/config

In this example I imagine that some other process is managing (downloading
and updating) SSH configs on the machine, and this would allow us to have
just a single line for using any number of such configs.

To be even more transparent, we're actually being even more dynamic than
that by (ab)using "Match exec" functionality to do something similar to
Lyft's blessclient integration [1] which invokes a heavyweight script that
not only does some custom hostname resolution but also fetches some
credentials (similar to blessclient) and writes out a just-in-time config
which includes the resolved hostname, pointers to the credentials, what
jumphost to use (which depends on many factors of the resolved host), etc.
Today we write all this at a well-known path and just have an Include
directive pointing to that well-known path, but this is incompatible with
parallel invocations of ssh. Being able to parameterize what path to
Include would save us a lot of trouble. :)

[1] https://github.com/lyft/python-blessclient

More information about the openssh-unix-dev mailing list