Feature Request: Token support on Include config directive

Ian Haken ihaken at netflix.com
Sun Jan 24 10:16:09 AEDT 2021


Hmm, don't those as-its-parsed semantics already apply to something like
Match exec though? Based on a quick test it looks like you get different
effects for

    Match exec "[ %r = foo ]"
        UserKnownHostsFile ~/bar
    Match all
        User foo

versus

    Match all
        User foo
    Match exec "[ %r = foo ]"
        UserKnownHostsFile ~/bar

As far as I can tell there aren't call-outs about those alternate token
semantics of match exec (though maybe there should be?). But at worst it
seems like there's _some_ precedent for the semantics of applying tokens as
you parse?


On Sat, Jan 23, 2021 at 2:56 PM Darren Tucker <dtucker at dtucker.net> wrote:

> On Sun, 24 Jan 2021 at 07:57, Ian Haken <ihaken at netflix.com> wrote:
> > I've got a feature request which is (hopefully?) straightforward, which
> is
> > that we'd like to be able to use tokens (%n specifically for the original
> > remote hostname) as a token on the Include directive.
>
> Unfortunately it's not straightforward.
>
> Include directives are read and processed as the config file is parsed
> (readconf.c, look for "case oInclude").  Percent-token expansion
> happens after the config is fully parsed, immediately before it's used
> (ssh.c, look for the percent_dollar_expand calls).  It would probably
> be possible to perform some kind of expansion when Include is parsed,
> but it would have different semantics compared to all of the other
> expansions, eg
>
>     UserKnownHostsFile %r/bar
>     User foo
>
> does expand UserKnownHostsFile, to foo/bar but
>
>     Include %r/bar
>     User foo
>
> would not.
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860  37F4 9357 ECEF 11EA A6FA (new)
>     Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>


More information about the openssh-unix-dev mailing list