[Bug 2317] New: sshd_config man page not clear on PermitUserEnvironment

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Nov 15 12:53:44 EST 2014


https://bugzilla.mindrot.org/show_bug.cgi?id=2317

            Bug ID: 2317
           Summary: sshd_config man page not clear on
                    PermitUserEnvironment
           Product: Portable OpenSSH
           Version: 6.6p1
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: florin at andrei.myip.org

>From the current man page:

PermitUserEnvironment
             Specifies whether ~/.ssh/environment and environment=
options in ~/.ssh/authorized_keys are processed by sshd(8).  The
default is “no”.  Enabling environment pro‐cessing may enable users to
bypass access restrictions in some configurations using mechanisms such
as LD_PRELOAD.

What that sounds to me like is that enabling that option weakens the
security in general.

But after some googling I came across this discussion:

http://serverfault.com/questions/527638/security-risks-of-permituserenvironment-in-ssh

According to the answer, PermitUserEnvironment only weakens security
for restricted accounts, such as scp-only, etc., but has no impact on
full shell access accounts. If that is correct, then the man page is
incomplete and misleading.

I need that option enabled, but I was hesitant to use it. I almost
decided to not use it, but then I came across that discussion.

Please add a brief note to that entry in the man page, making clear
that there are no security issues with that option if all accounts have
full shell access (of course, assuming my interpretation is correct).

Thanks.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.


More information about the openssh-bugs mailing list