3140 – support environment variables in keywords where possible.

Bug 3140 - support environment variables in keywords where possible.

Summary: support environment variables in keywords where possible.

Status:	CLOSED FIXED

Alias:	None

Product:	Portable OpenSSH
Classification:	Unclassified
Component:	ssh (show other bugs)
Version:	8.2p1
Hardware:	Other Linux

Importance:	P5 enhancement
Assignee:	Assigned to nobody

URL:
Keywords:

Depends on:	3014
Blocks:	V_8_4
	Show dependency tree / graph

Reported:	2020-03-27 04:31 AEDT by Daniel Kahn Gillmor
Modified:	2020-10-02 14:55 AEST (History)
CC List:	1 user (show)

See Also:

Attachments
allow environment variables in path config keywords (10.79 KB, patch) 2020-04-10 18:56 AEST, Darren Tucker	no flags	Details \| Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Daniel Kahn Gillmor 2020-03-27 04:31:52 AEDT

In some situations, users will want to forward a unix domain socket that lives in XDG_RUNTIME_DIR. for example, the default GnuPG gpg-agent's  `agent-socket` lives in $XDG_RUNTIME_DIR/S.gpg-agent.

But this isn't known by the client when setting up a RemoteForward.

If we could use tokens in RemoteForward (see #3014), then one token that would be really nice to have would be this location.

Comment 1 Darren Tucker 2020-04-10 11:46:59 AEST

I don't think this is something we want to do.  At least not as a %-TOKEN.

 - there's no guarantee that the environment variable will exist at all.  Currently every attribute is guaranteed to exist, so the semantics when it doesn't would not be clear (expand to nothing?  leave unexpanded?  throw an error?).
 - we don't currently do environment variables here and this opens a whole other can of worms^W environment variables.  There's only so many letters on the keyboard.
 - ssh and sshd are command line applications not desktop applications.

With the functionality added in #3014 you can construct the path in the client's config file if you know the scheme it's using (eg "RemoteForward /foo/bar /var/user/%i/baz") or look it up at runtime and add the forward using ControlMaster (which also works if you want the inverse direction, if you happen to want that):

$ echo 'ControlPath %d/.ssh/%C' >>~/.ssh/config
$ ssh -Nf -o controlmaster=yes server
$ remdir=$(ssh server 'echo $XDG_RUNTIME_DIR')
$ ssh -O forward -oRemoteForward="$remdir/S.gpg-agent /foo/bar" server

Comment 2 Darren Tucker 2020-04-10 18:56:06 AEST

Created attachment 3375 [details]
allow environment variables in path config keywords

This adds support for shell-style ${VAR} keyword expansions in config keywords that take paths.  It applies on top of OpenBSD -current.  Your use case would be something like this in ~/.ssh/config:

RemoteForward ${XDG_RUNTIME_DIR}/S.gpg-agent ${XDG_RUNTIME_DIR}/S.gpg-agent

There's a few potential problems with this:
 - the expansions are exclusively client side and I'm not sure the server should ever do this type of expansion.
 - there'a existing environment variable support in IdentityAgent and ForwardAgent which has a different, more limited format.  Right now the patch supports both.  I think we'd be better off removing the old format since having two is potentially confusing, but that's a user visible potentially incompatible change.
 - I am unsure if this is generally worth the extra complexity and maintenance or what the other OpenSSH maintainers will think of this.

Comment 3 Darren Tucker 2020-05-29 14:34:32 AEST

Generic environment variable support has been added and will be in the 8.4 release.

Comment 4 Darren Tucker 2020-10-02 14:55:05 AEST

Mass close of all bugs fixed in 8.4 release.