Funnies with SendEnv client config

Adam Majer amajer at suse.de
Wed Aug 17 21:39:42 AEST 2022


Hi all,

So, just wanted to raise the discussion about SendEnv again and how it's 
one options that doesn't follow the rest of the config parsing in OpenSSH.

Looking at the archive, this was raised previously,

   https://marc.info/?l=openssh-unix-dev&m=153069719521988

but there is some opposition due to embedded workflows,

   https://marc.info/?l=openssh-unix-dev&m=153070064923285


The main issue is that it's becoming more difficult for users or even 
system admins, to override package defaults. Distributions are moving 
towards /usr/etc + /etc separation. Package defaults enabling SendEnv 
become stuck and unchangeable.


Would it be acceptable to have compile-time flag that allows SendEnv to 
be treated like any other config parameter?


Alternatively, if compile-time flag is not optimal, maybe a syntax like,

     SendEnv *- env1 env2 ...

could indicate to stop parsing following entries of SendEnv and only 
apply the current line? Basically, clear all and send this and ignore 
the following SendEnv in other sections. This would allow local user 
overrides and I would not expect this syntax to be used much in the wild.


Regarding line length raised in opposition to treating SendEnv as 
regular paramter, I don't actually view this as a significant hurdle. We 
have editors that can wrap long lines without embedding \n. But YMMV.

- Adam


More information about the openssh-unix-dev mailing list