[Bug 1800] New: PermitUserEnvironment accepting pattern of allowed userenv variables

bugzilla-daemon at bugzilla.mindrot.org bugzilla-daemon at bugzilla.mindrot.org
Sun Jul 18 14:18:42 EST 2010


https://bugzilla.mindrot.org/show_bug.cgi?id=1800

           Summary: PermitUserEnvironment accepting pattern of allowed
                    userenv variables
           Product: Portable OpenSSH
           Version: 5.5p1
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: sshd
        AssignedTo: unassigned-bugs at mindrot.org
        ReportedBy: dada.da+mindrot at gmail.com


Created attachment 1901
  --> https://bugzilla.mindrot.org/attachment.cgi?id=1901
diff for patching 5.5p1 and 5.4p1

"PermitUserEnvironment=Yes" security risks could be mitigated by
allowing sshd to allow selected user-environment variables.  I have
written a patch which allows sshd configuration to specify:

"PermitUserEnvironment=VAR" 

This passes user environment variables (from $USER/.ssh/environment
and/or $USER/.ssh/authorized_keys) starting with VAR, ignoring all
other environment variables not previously copied by sshd.

The default option for PermitUserEnvironment is unchanged; it still
defaults to "No".

As a second effect, if PermitUserEnvironment is set to the default
"No", but an "environment=" option is specified in authorized_keys, the
key is no longer rejected with a "Bad options in file" error, but
instead silently ignores the "environment=" option, which is similar to
the behaviour of other options such as "permitopen=".

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list