Skip SSH config dependency roots in Windows sandbox#18415
Skip SSH config dependency roots in Windows sandbox#18415efrazer-oai wants to merge 1 commit intoefrazer/windows-sandbox-skip-tshfrom
Conversation
![chatgpt-codex-connector[bot]](https://avatars.githubusercontent.com/in/1144995?s=60&v=4){kind=small}
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: 11bd91e876
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| "" | ||
| } else { | ||
| let prefix = format!("{profile}/"); | ||
| path.strip_prefix(&prefix).unwrap_or_default() |
There was a problem hiding this comment.
record_profile_entry compares the full path case-insensitively, but uses a case-sensitive strip_prefix for "{profile}/". On Windows, a config path like c:\users\ALICE\.keys\id with USERPROFILE=C:\Users\Alice won't match, so no entry is recorded. That leaves .keys in read roots and ACLs can still be granted on SSH-dependent folders, defeating this fix.
Useful? React with 👍 / 👎.
|
Closing in favor of a smaller Windows sandbox fix that prevents USERPROFILE itself from becoming an ACL root. |
1 participant
Summary
Why
Adding .tsh covers the known Teleport failure. This follow-up handles the same class of bug when .ssh/config points at other profile folders through IdentityFile, CertificateFile, UserKnownHostsFile, ControlPath, IdentityAgent, PKCS11Provider, SecurityKeyProvider, XAuthLocation, or included config files.
The scanner is intentionally narrower than a general SSH client config parser. It answers one question: which top-level folders under the human user profile are named by the .ssh/config dependency chain?
Testing