This is an automated email from the git hooks/post-receive script.
djm pushed a commit to branch master
in repository openssh.
commit 28013759f09ed3ebf7e8335e83a62936bd7a7f47
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jun 9 03:03:10 2018 +0000
upstream: add a SetEnv directive for sshd_config to allow an
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
---
servconf.c | 20 ++++++++++++++++++--
servconf.h | 4 +++-
session.c | 15 +++++++++++++--
sshd_config.5 | 18 +++++++++++++++++-
4 files changed, 51 insertions(+), 6 deletions(-)
diff --git a/servconf.c b/servconf.c
index f55b6673..6e70e631 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
options->num_accept_env = 0;
+ options->num_setenv = 0;
options->permit_tun = -1;
options->permitted_opens = NULL;
options->permitted_listens = NULL;
@@ -462,7 +463,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
- sAcceptEnv, sPermitTunnel,
+ sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -593,6 +594,7 @@ static struct {
{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
+ { "setenv", sSetEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "permittty", sPermitTTY, SSHCFG_ALL },
{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
@@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line,
}
break;
+ case sSetEnv:
+ uvalue = options->num_setenv;
+ while ((arg = strdelimw(&cp)) && *arg != '\0') {
+ if (strchr(arg, '=') == NULL)
+ fatal("%s line %d: Invalid environment.",
+ filename, linenum);
+ if (!*activep || uvalue != 0)
+ continue;
+ array_append(filename, linenum, "SetEnv",
+ &options->setenv, &options->num_setenv, arg);
+ }
+ break;
+
case sPermitTunnel:
intptr = &options->permit_tun;
arg = strdelim(&cp);
@@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o)
dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+ dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
dump_cfg_strarray_oneline(sAuthenticationMethods,
o->num_auth_methods, o->auth_methods);
diff --git a/servconf.h b/servconf.h
index 450b94ec..db8362c6 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.133 2018/06/06 18:23:32 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -154,6 +154,8 @@ typedef struct {
u_int num_accept_env;
char **accept_env;
+ u_int num_setenv;
+ char **setenv;
int max_startups_begin;
int max_startups_rate;
diff --git a/session.c b/session.c
index 7b15e32c..85df6a27 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.299 2018/06/09 02:58:02 djm Exp $ */
+/* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1004,7 +1004,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
char buf[256];
size_t n;
u_int i, envsize;
- char *ocp, *cp, **env, *laddr;
+ char *ocp, *cp, *value, **env, *laddr;
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -1156,6 +1156,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
}
#endif /* USE_PAM */
+ /* Environment specified by admin */
+ for (i = 0; i < options.num_setenv; i++) {
+ cp = xstrdup(options.setenv[i]);
+ if ((value = strchr(cp, '=')) == NULL) {
+ /* shouldn't happen; vars are checked in servconf.c */
+ fatal("Invalid config SetEnv: %s", options.setenv[i]);
+ }
+ *value++ = '\0';
+ child_set_env(&env, &envsize, cp, value);
+ }
+
/* SSH_CLIENT deprecated */
snprintf(buf, sizeof buf, "%.50s %d %d",
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
diff --git a/sshd_config.5 b/sshd_config.5
index 395f5f6a..c62a9c8e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.273 2018/06/09 03:01:12 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.274 2018/06/09 03:03:10 djm Exp $
.Dd $Mdocdate: June 9 2018 $
.Dt SSHD_CONFIG 5
.Os
@@ -1138,6 +1138,7 @@ Available keywords are
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
+.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
@@ -1445,6 +1446,21 @@ will be bound to this
If the routing domain is set to
.Cm \&%D ,
then the domain in which the incoming connection was received will be applied.
+.It Cm SetEnv
+Specifies one or more environment variables to set in child sessions started
+by
+.Xr sshd 8
+as
+.Dq NAME=VALUE .
+The environment value may be quoted (e.g. if it contains whitespace
+characters).
+Environment variables set by
+.Cm SetEnv
+override the default environment and any variables specified by the user
+via
+.Cm AcceptEnv
+or
+.Cm PermitUserEnvironment .
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits
djm pushed a commit to branch master
in repository openssh.
commit 28013759f09ed3ebf7e8335e83a62936bd7a7f47
Author: djm@openbsd.org <djm@openbsd.org>
Date: Sat Jun 9 03:03:10 2018 +0000
upstream: add a SetEnv directive for sshd_config to allow an
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
---
servconf.c | 20 ++++++++++++++++++--
servconf.h | 4 +++-
session.c | 15 +++++++++++++--
sshd_config.5 | 18 +++++++++++++++++-
4 files changed, 51 insertions(+), 6 deletions(-)
diff --git a/servconf.c b/servconf.c
index f55b6673..6e70e631 100644
--- a/servconf.c
+++ b/servconf.c
@@ -1,5 +1,5 @@
-/* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */
+/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options)
options->client_alive_count_max = -1;
options->num_authkeys_files = 0;
options->num_accept_env = 0;
+ options->num_setenv = 0;
options->permit_tun = -1;
options->permitted_opens = NULL;
options->permitted_listens = NULL;
@@ -462,7 +463,7 @@ typedef enum {
sHostKeyAlgorithms,
sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile,
sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor,
- sAcceptEnv, sPermitTunnel,
+ sAcceptEnv, sSetEnv, sPermitTunnel,
sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory,
sUsePrivilegeSeparation, sAllowAgentForwarding,
sHostCertificate,
@@ -593,6 +594,7 @@ static struct {
{ "authorizedkeysfile2", sDeprecated, SSHCFG_ALL },
{ "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL},
{ "acceptenv", sAcceptEnv, SSHCFG_ALL },
+ { "setenv", sSetEnv, SSHCFG_ALL },
{ "permittunnel", sPermitTunnel, SSHCFG_ALL },
{ "permittty", sPermitTTY, SSHCFG_ALL },
{ "permituserrc", sPermitUserRC, SSHCFG_ALL },
@@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line,
}
break;
+ case sSetEnv:
+ uvalue = options->num_setenv;
+ while ((arg = strdelimw(&cp)) && *arg != '\0') {
+ if (strchr(arg, '=') == NULL)
+ fatal("%s line %d: Invalid environment.",
+ filename, linenum);
+ if (!*activep || uvalue != 0)
+ continue;
+ array_append(filename, linenum, "SetEnv",
+ &options->setenv, &options->num_setenv, arg);
+ }
+ break;
+
case sPermitTunnel:
intptr = &options->permit_tun;
arg = strdelim(&cp);
@@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o)
dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups);
dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups);
dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env);
+ dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv);
dump_cfg_strarray_oneline(sAuthenticationMethods,
o->num_auth_methods, o->auth_methods);
diff --git a/servconf.h b/servconf.h
index 450b94ec..db8362c6 100644
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: servconf.h,v 1.133 2018/06/06 18:23:32 djm Exp $ */
+/* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -154,6 +154,8 @@ typedef struct {
u_int num_accept_env;
char **accept_env;
+ u_int num_setenv;
+ char **setenv;
int max_startups_begin;
int max_startups_rate;
diff --git a/session.c b/session.c
index 7b15e32c..85df6a27 100644
--- a/session.c
+++ b/session.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: session.c,v 1.299 2018/06/09 02:58:02 djm Exp $ */
+/* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */
/*
* Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland
* All rights reserved
@@ -1004,7 +1004,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
char buf[256];
size_t n;
u_int i, envsize;
- char *ocp, *cp, **env, *laddr;
+ char *ocp, *cp, *value, **env, *laddr;
struct passwd *pw = s->pw;
#if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN)
char *path = NULL;
@@ -1156,6 +1156,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
}
#endif /* USE_PAM */
+ /* Environment specified by admin */
+ for (i = 0; i < options.num_setenv; i++) {
+ cp = xstrdup(options.setenv[i]);
+ if ((value = strchr(cp, '=')) == NULL) {
+ /* shouldn't happen; vars are checked in servconf.c */
+ fatal("Invalid config SetEnv: %s", options.setenv[i]);
+ }
+ *value++ = '\0';
+ child_set_env(&env, &envsize, cp, value);
+ }
+
/* SSH_CLIENT deprecated */
snprintf(buf, sizeof buf, "%.50s %d %d",
ssh_remote_ipaddr(ssh), ssh_remote_port(ssh),
diff --git a/sshd_config.5 b/sshd_config.5
index 395f5f6a..c62a9c8e 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -33,7 +33,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.273 2018/06/09 03:01:12 djm Exp $
+.\" $OpenBSD: sshd_config.5,v 1.274 2018/06/09 03:03:10 djm Exp $
.Dd $Mdocdate: June 9 2018 $
.Dt SSHD_CONFIG 5
.Os
@@ -1138,6 +1138,7 @@ Available keywords are
.Cm RekeyLimit ,
.Cm RevokedKeys ,
.Cm RDomain ,
+.Cm SetEnv ,
.Cm StreamLocalBindMask ,
.Cm StreamLocalBindUnlink ,
.Cm TrustedUserCAKeys ,
@@ -1445,6 +1446,21 @@ will be bound to this
If the routing domain is set to
.Cm \&%D ,
then the domain in which the incoming connection was received will be applied.
+.It Cm SetEnv
+Specifies one or more environment variables to set in child sessions started
+by
+.Xr sshd 8
+as
+.Dq NAME=VALUE .
+The environment value may be quoted (e.g. if it contains whitespace
+characters).
+Environment variables set by
+.Cm SetEnv
+override the default environment and any variables specified by the user
+via
+.Cm AcceptEnv
+or
+.Cm PermitUserEnvironment .
.It Cm StreamLocalBindMask
Sets the octal file creation mode mask
.Pq umask
--
To stop receiving notification emails like this one, please contact
djm@mindrot.org.
_______________________________________________
openssh-commits mailing list
openssh-commits@mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-commits