Bug 3552 - ssh_config option RevokedHostKeys doesn't do tilde expansion on the filename
Summary: ssh_config option RevokedHostKeys doesn't do tilde expansion on the filename
Status: NEW
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: ssh (show other bugs)
Version: 9.0p1
Hardware: All All
: P5 enhancement
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_9_4
  Show dependency treegraph
 
Reported: 2023-03-26 00:41 AEDT by Daniel Kertesz
Modified: 2023-03-26 06:04 AEDT (History)
2 users (show)

See Also:

Attachments
Add tilde and environment variable support to RevokedHostKeys (2.51 KB, patch)
2023-03-26 06:03 AEDT, Darren Tucker 		dtucker: ok? (djm)
 Details | Diff
View All Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Kertesz 2023-03-26 00:41:51 AEDT 
Thanks to GitHub's private key leak I got to use the RevokedHostKeys setting in ssh_config, and I realized it doesn't do tilde expansion on the filename.

Specifically, this doesn't work and gives a "No such file or directory" error:

  RevokedHostKeys ~/.ssh/revoked_host_keys

but this does work:

  RevokedHostKeys /Users/my_user/.ssh/revoked_host_keys

This was tested on OpenSSH 9.0p1 on macOS 13.2.1; I can't test on the latest OpenSSH, but I did a quick search on the OpenSSH code on GitHub and I think this bug is still present.

The IdentityFile option do tilde expansion:
https://github.com/openbsd/src/blob/fba4865f1dbe0cc6c4725437366d812456e9331d/usr.bin/ssh/ssh.c#L2265

The RevokedHostKeys option does not:
https://github.com/openbsd/src/blob/fba4865f1dbe0cc6c4725437366d812456e9331d/usr.bin/ssh/authfile.c#L385

Slightly related, the ssh_config man page doesn't specify that the plain text version of the RevokedHostKeys file can contain comments.
Comment 1 Darren Tucker 2023-03-26 06:03:50 AEDT 
Created attachment 3686 [details]
Add tilde and environment variable support to RevokedHostKeys