upstream: Allow some keywords to expand shell-style ${ENV}

environment variables on the client side. The supported keywords are CertificateFile, ControlPath, IdentityAgent and IdentityFile, plus LocalForward and RemoteForward when used for Unix domain socket paths. This would for example allow forwarding of Unix domain socket paths that change at runtime. bz#3140, ok djm@ OpenBSD-Commit-ID: a4a2e801fc2d4df2fe0e58f50d9c81b03822dffa
author: dtucker@openbsd.org <dtucker@openbsd.org> 2020-05-29 04:25:40 +0000
committer: Damien Miller <djm@mindrot.org> 2020-05-29 15:46:47 +1000
commit: 4a1b46e6d032608b7ec00ae51c4e25b82f460b05 (patch)
tree: 7f345cd0424c5b6f7eff6e5d0f1b52747a960f9e /ssh_config.5
parent: c9bab1d3a9e183cef3a3412f57880a0374cc8cb2 (diff)
1 files changed, 43 insertions, 10 deletions
diff --git a/ssh_config.5 b/ssh_config.5
index dc010ccbd..001544dd3 100644
--- a/ssh_config.5
+++ b/ssh_config.5
@@ -33,8 +33,8 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $
+.\" $OpenBSD: ssh_config.5,v 1.326 2020/05/29 04:25:40 dtucker Exp $
-.Dd $Mdocdate: April 11 2020 $
+.Dd $Mdocdate: May 29 2020 $
 .Dt SSH_CONFIG 5
 .Os
 .Sh NAME
@@ -389,9 +389,11 @@ or
 .Pp
 Arguments to
 .Cm CertificateFile
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .Pp
 It is possible to have multiple certificate files specified in
@@ -551,9 +553,11 @@ section above or the string
 to disable connection sharing.
 Arguments to
 .Cm ControlPath
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 It is recommended that any
 .Cm ControlPath
@@ -934,9 +938,11 @@ the location of the socket.
 .Pp
 Arguments to
 .Cm IdentityAgent
-may use the tilde syntax to refer to a user's home directory
+may use the tilde syntax to refer to a user's home directory,
-or the tokens described in the
+the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .It Cm IdentityFile
 Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
@@ -1152,8 +1158,10 @@ indicates that the listening port be bound for local use only, while an
 empty address or
 .Sq *
 indicates that the port should be available from all interfaces.
-Unix domain socket paths accept the tokens described in the
+Unix domain socket paths may use the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .It Cm LogLevel
 Gives the verbosity level that is used when logging messages from
@@ -1423,8 +1431,10 @@ Multiple forwardings may be specified, and additional
 forwardings can be given on the command line.
 Privileged ports can be forwarded only when
 logging in as root on the remote machine.
-Unix domain socket paths accept the tokens described in the
+Unix domain socket paths may use the tokens described in the
 .Sx TOKENS
+section and environment variables as described in the
+.Sx ENVIRONMENT VARIABLES
 section.
 .Pp
 If the
@@ -1875,6 +1885,29 @@ accepts all tokens.
 .Pp
 .Cm ProxyCommand
 accepts the tokens %%, %h, %n, %p, and %r.
+.Sh ENVIRONMENT VARIABLES
+Arguments to some keywords can be expanded at runtime from environment
+variables on the client by enclosing them in
+.Ic ${} ,
+for example
+.Ic ${HOME}/.ssh
+would refer to the user's .ssh directory.
+If a specified environment variable does not exist then an error will be
+returned and the setting for that keyword will be ignored.
+.Pp
+The keywords
+.El
+.Cm CertificateFile ,
+.Cm ControlPath ,
+.Cm IdentityAgent
+and
+.Cm IdentityFile
+support environment variables.
+The keywords
+.Cm LocalForward
+and
+.Cm RemoteForward
+support environment variables only for Unix domain socket paths.
 .Sh FILES
 .Bl -tag -width Ds
 .It Pa ~/.ssh/config
author	dtucker@openbsd.org <dtucker@openbsd.org>	2020-05-29 04:25:40 +0000
committer	Damien Miller <djm@mindrot.org>	2020-05-29 15:46:47 +1000
commit	4a1b46e6d032608b7ec00ae51c4e25b82f460b05 (patch)
tree	7f345cd0424c5b6f7eff6e5d0f1b52747a960f9e /ssh_config.5
parent	c9bab1d3a9e183cef3a3412f57880a0374cc8cb2 (diff)

diff --git a/ssh_config.5 b/ssh_config.5 index dc010ccbd..001544dd3 100644 --- a/ssh_config.5 +++ b/ssh_config.5
@@ -33,8 +33,8 @@
33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	33	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	34	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
35	.\"	35	.\"
36	.\" $OpenBSD: ssh_config.5,v 1.325 2020/04/11 20:20:09 jmc Exp $	36	.\" $OpenBSD: ssh_config.5,v 1.326 2020/05/29 04:25:40 dtucker Exp $
37	.Dd $Mdocdate: April 11 2020 $	37	.Dd $Mdocdate: May 29 2020 $
38	.Dt SSH_CONFIG 5	38	.Dt SSH_CONFIG 5
39	.Os	39	.Os
40	.Sh NAME	40	.Sh NAME
@@ -389,9 +389,11 @@ or
389	.Pp	389	.Pp
390	Arguments to	390	Arguments to
391	.Cm CertificateFile	391	.Cm CertificateFile
392	may use the tilde syntax to refer to a user's home directory	392	may use the tilde syntax to refer to a user's home directory,
393	or the tokens described in the	393	the tokens described in the
394	.Sx TOKENS	394	.Sx TOKENS
		395	section and environment variables as described in the
		396	.Sx ENVIRONMENT VARIABLES
395	section.	397	section.
396	.Pp	398	.Pp
397	It is possible to have multiple certificate files specified in	399	It is possible to have multiple certificate files specified in
@@ -551,9 +553,11 @@ section above or the string
551	to disable connection sharing.	553	to disable connection sharing.
552	Arguments to	554	Arguments to
553	.Cm ControlPath	555	.Cm ControlPath
554	may use the tilde syntax to refer to a user's home directory	556	may use the tilde syntax to refer to a user's home directory,
555	or the tokens described in the	557	the tokens described in the
556	.Sx TOKENS	558	.Sx TOKENS
		559	section and environment variables as described in the
		560	.Sx ENVIRONMENT VARIABLES
557	section.	561	section.
558	It is recommended that any	562	It is recommended that any
559	.Cm ControlPath	563	.Cm ControlPath
@@ -934,9 +938,11 @@ the location of the socket.
934	.Pp	938	.Pp
935	Arguments to	939	Arguments to
936	.Cm IdentityAgent	940	.Cm IdentityAgent
937	may use the tilde syntax to refer to a user's home directory	941	may use the tilde syntax to refer to a user's home directory,
938	or the tokens described in the	942	the tokens described in the
939	.Sx TOKENS	943	.Sx TOKENS
		944	section and environment variables as described in the
		945	.Sx ENVIRONMENT VARIABLES
940	section.	946	section.
941	.It Cm IdentityFile	947	.It Cm IdentityFile
942	Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,	948	Specifies a file from which the user's DSA, ECDSA, authenticator-hosted ECDSA,
@@ -1152,8 +1158,10 @@ indicates that the listening port be bound for local use only, while an
1152	empty address or	1158	empty address or
1153	.Sq *	1159	.Sq *
1154	indicates that the port should be available from all interfaces.	1160	indicates that the port should be available from all interfaces.
1155	Unix domain socket paths accept the tokens described in the	1161	Unix domain socket paths may use the tokens described in the
1156	.Sx TOKENS	1162	.Sx TOKENS
		1163	section and environment variables as described in the
		1164	.Sx ENVIRONMENT VARIABLES
1157	section.	1165	section.
1158	.It Cm LogLevel	1166	.It Cm LogLevel
1159	Gives the verbosity level that is used when logging messages from	1167	Gives the verbosity level that is used when logging messages from
@@ -1423,8 +1431,10 @@ Multiple forwardings may be specified, and additional
1423	forwardings can be given on the command line.	1431	forwardings can be given on the command line.
1424	Privileged ports can be forwarded only when	1432	Privileged ports can be forwarded only when
1425	logging in as root on the remote machine.	1433	logging in as root on the remote machine.
1426	Unix domain socket paths accept the tokens described in the	1434	Unix domain socket paths may use the tokens described in the
1427	.Sx TOKENS	1435	.Sx TOKENS
		1436	section and environment variables as described in the
		1437	.Sx ENVIRONMENT VARIABLES
1428	section.	1438	section.
1429	.Pp	1439	.Pp
1430	If the	1440	If the
@@ -1875,6 +1885,29 @@ accepts all tokens.
1875	.Pp	1885	.Pp
1876	.Cm ProxyCommand	1886	.Cm ProxyCommand
1877	accepts the tokens %%, %h, %n, %p, and %r.	1887	accepts the tokens %%, %h, %n, %p, and %r.
		1888	.Sh ENVIRONMENT VARIABLES
		1889	Arguments to some keywords can be expanded at runtime from environment
		1890	variables on the client by enclosing them in
		1891	.Ic ${} ,
		1892	for example
		1893	.Ic ${HOME}/.ssh
		1894	would refer to the user's .ssh directory.
		1895	If a specified environment variable does not exist then an error will be
		1896	returned and the setting for that keyword will be ignored.
		1897	.Pp
		1898	The keywords
		1899	.El
		1900	.Cm CertificateFile ,
		1901	.Cm ControlPath ,
		1902	.Cm IdentityAgent
		1903	and
		1904	.Cm IdentityFile
		1905	support environment variables.
		1906	The keywords
		1907	.Cm LocalForward
		1908	and
		1909	.Cm RemoteForward
		1910	support environment variables only for Unix domain socket paths.
1878	.Sh FILES	1911	.Sh FILES
1879	.Bl -tag -width Ds	1912	.Bl -tag -width Ds
1880	.It Pa ~/.ssh/config	1913	.It Pa ~/.ssh/config