Created attachment 3530 [details] xstrdup() added for ForwardAgent env var Beginning with OpenSSH 8.2, the ssh_config ForwardAgent option can accept "an explicit path to an agent socket or the name of an environment variable (beginning with ‘$’) in which to find the path." If an environment variable name is supplied, ssh.c uses getenv() to capture the value, but fails to make a copy. This is problematic on systems where subsequent calls to getenv() clobber the last returned value. This problem exists as of OpenSSH release 8.6. I've attached a proposed patch, based on the OpenSSH 8.6p1 ssh.c source file. On a related note, I don't understand why the $ENV_VAR_NAME (without braces) syntax is supported for this option. There is also support for supplying the environment variable name via the ${ENV_VAR_NAME} (with braces) syntax (see the code beginning at line 1415 in ssh.c). Is the non-brace syntax a legacy format that needs to be preserved?
(In reply to Stephen Goetze from comment #0) [...] > I've attached a proposed patch, based on the OpenSSH 8.6p1 ssh.c > source file. Thanks, I've added it to the list to do for the next release. > On a related note, I don't understand why the $ENV_VAR_NAME (without > braces) syntax is supported for this option. There is also support > for supplying the environment variable name via the ${ENV_VAR_NAME} > (with braces) syntax (see the code beginning at line 1415 in ssh.c). > > > Is the non-brace syntax a legacy format that needs to be preserved? Yes, the non-brace syntax was existed only for this option prior to the more generic brace support being added for many options. The old syntax is maintained for backward compatibility for any configs using it (we try not to break working configs without advance warning).
This has been applied and will be in the next major release. Thanks for the report.
closing bugs resolved before openssh-8.9