Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. OpenSSH>
  3. Dev
Feature Request: Token support on Include config directive
ihaken at netflix
Jan 23, 2021, 12:54 PM
Post #1 of 3 (271 views)
Permalink
I've got a feature request which is (hopefully?) straightforward, which is
that we'd like to be able to use tokens (%n specifically for the original
remote hostname) as a token on the Include directive. This would allow us
to do something like:

Match Host *.corp
Include ~/.local/share/my_corp_data/managed_ssh_configs/%n/config

In this example I imagine that some other process is managing (downloading
and updating) SSH configs on the machine, and this would allow us to have
just a single line for using any number of such configs.

To be even more transparent, we're actually being even more dynamic than
that by (ab)using "Match exec" functionality to do something similar to
Lyft's blessclient integration [1] which invokes a heavyweight script that
not only does some custom hostname resolution but also fetches some
credentials (similar to blessclient) and writes out a just-in-time config
which includes the resolved hostname, pointers to the credentials, what
jumphost to use (which depends on many factors of the resolved host), etc.
Today we write all this at a well-known path and just have an Include
directive pointing to that well-known path, but this is incompatible with
parallel invocations of ssh. Being able to parameterize what path to
Include would save us a lot of trouble. :)


[1] https://github.com/lyft/python-blessclient
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Feature Request: Token support on Include config directive [ In reply to ]
dtucker at dtucker
Jan 23, 2021, 2:56 PM
Post #2 of 3 (271 views)
Permalink
On Sun, 24 Jan 2021 at 07:57, Ian Haken <ihaken@netflix.com> wrote:
> I've got a feature request which is (hopefully?) straightforward, which is
> that we'd like to be able to use tokens (%n specifically for the original
> remote hostname) as a token on the Include directive.

Unfortunately it's not straightforward.

Include directives are read and processed as the config file is parsed
(readconf.c, look for "case oInclude"). Percent-token expansion
happens after the config is fully parsed, immediately before it's used
(ssh.c, look for the percent_dollar_expand calls). It would probably
be possible to perform some kind of expansion when Include is parsed,
but it would have different semantics compared to all of the other
expansions, eg

UserKnownHostsFile %r/bar
User foo

does expand UserKnownHostsFile, to foo/bar but

Include %r/bar
User foo

would not.

--
Darren Tucker (dtucker at dtucker.net)
GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
Good judgement comes with experience. Unfortunately, the experience
usually comes from bad judgement.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev
Re: Feature Request: Token support on Include config directive [ In reply to ]
ihaken at netflix
Jan 23, 2021, 3:16 PM
Post #3 of 3 (271 views)
Permalink
Hmm, don't those as-its-parsed semantics already apply to something like
Match exec though? Based on a quick test it looks like you get different
effects for

Match exec "[ %r = foo ]"
UserKnownHostsFile ~/bar
Match all
User foo

versus

Match all
User foo
Match exec "[ %r = foo ]"
UserKnownHostsFile ~/bar

As far as I can tell there aren't call-outs about those alternate token
semantics of match exec (though maybe there should be?). But at worst it
seems like there's _some_ precedent for the semantics of applying tokens as
you parse?


On Sat, Jan 23, 2021 at 2:56 PM Darren Tucker <dtucker@dtucker.net> wrote:

> On Sun, 24 Jan 2021 at 07:57, Ian Haken <ihaken@netflix.com> wrote:
> > I've got a feature request which is (hopefully?) straightforward, which
> is
> > that we'd like to be able to use tokens (%n specifically for the original
> > remote hostname) as a token on the Include directive.
>
> Unfortunately it's not straightforward.
>
> Include directives are read and processed as the config file is parsed
> (readconf.c, look for "case oInclude"). Percent-token expansion
> happens after the config is fully parsed, immediately before it's used
> (ssh.c, look for the percent_dollar_expand calls). It would probably
> be possible to perform some kind of expansion when Include is parsed,
> but it would have different semantics compared to all of the other
> expansions, eg
>
> UserKnownHostsFile %r/bar
> User foo
>
> does expand UserKnownHostsFile, to foo/bar but
>
> Include %r/bar
> User foo
>
> would not.
>
> --
> Darren Tucker (dtucker at dtucker.net)
> GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new)
> Good judgement comes with experience. Unfortunately, the experience
> usually comes from bad judgement.
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal