Thanks to GitHub's private key leak I got to use the RevokedHostKeys setting in ssh_config, and I realized it doesn't do tilde expansion on the filename. Specifically, this doesn't work and gives a "No such file or directory" error: RevokedHostKeys ~/.ssh/revoked_host_keys but this does work: RevokedHostKeys /Users/my_user/.ssh/revoked_host_keys This was tested on OpenSSH 9.0p1 on macOS 13.2.1; I can't test on the latest OpenSSH, but I did a quick search on the OpenSSH code on GitHub and I think this bug is still present. The IdentityFile option do tilde expansion: https://github.com/openbsd/src/blob/fba4865f1dbe0cc6c4725437366d812456e9331d/usr.bin/ssh/ssh.c#L2265 The RevokedHostKeys option does not: https://github.com/openbsd/src/blob/fba4865f1dbe0cc6c4725437366d812456e9331d/usr.bin/ssh/authfile.c#L385 Slightly related, the ssh_config man page doesn't specify that the plain text version of the RevokedHostKeys file can contain comments.
Created attachment 3686 [details] Add tilde and environment variable support to RevokedHostKeys