Are you using paramiko as a client or server?

Client

What feature(s) aren't working right?

sshconfig

What version(s) of paramiko are you using?

3.5.1

What version(s) of Python are you using?

3.12.2

What operating system and version are you using?

MacOS Tahoe 26.0.1 (intel)

If you're connecting as a client, which SSH server are you connecting to?

OpenSSH

If you're using paramiko as part of another tool, which tool/version?

pyinfra

Expected/desired behavior

ProxyCommand is executed in a shell as per https://man.openbsd.org/ssh_config#ProxyCommand
Specifically I need to reference the home directory in a portable way between paramiko and openssh

Actual behavior

Openssh uses the shell so I can take advantage of environment variables.
Paramiko does a naive replace of ~ anywhere in the string.

So I can use $HOME in openssh or ~ in paramiko but neither works in the other.

The shell only expands ~ at the beginning of a word and paramiko doesn't expand environment variables because it doesn't run it in a shell.

How to reproduce

Here is an example config:

ProxyCommand openssl s_client -connect example.com:443 -servername %h --cert ~/PKCS12.p12 --alpn ssh/2.0 -quiet -verifyCAfile ~/Self-Signed_CA.crt -verify_quiet -pass file:$HOME/pass.txt

Anything else?

fixed by #1588