expose $SSH_CONNECTION in the PAM environment

This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
author: Damien Miller <djm@mindrot.org> 2018-12-07 15:41:16 +1100
committer: Damien Miller <djm@mindrot.org> 2018-12-14 13:23:48 +1100
commit: 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree: 4d8caa21acbf05e580e393d2f031bcd3bce873e1 /session.c
parent: a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)
download: openssh-git-8a22ffaa13391cfe5b40316d938fe0fb931e9296.tar.gz
1 files changed, 7 insertions, 4 deletions
diff --git a/session.c b/session.c
index a3f0b356..d2e2fbd7 100644
--- a/session.c
+++ b/session.c
@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
 		char **p;
 
 		/*
-		 * Don't allow SSH_AUTH_INFO variables posted to PAM to leak
-		 * back into the environment.
+		 * Don't allow PAM-internal env vars to leak
+		 * back into the session environment.
 		 */
+#define PAM_ENV_BLACKLIST  "SSH_AUTH_INFO*,SSH_CONNECTION*"
 		p = fetch_pam_child_environment();
-		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+		copy_environment_blacklist(p, &env, &envsize,
+		    PAM_ENV_BLACKLIST);
 		free_pam_environment(p);
 
 		p = fetch_pam_environment();
-		copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+		copy_environment_blacklist(p, &env, &envsize,
+		    PAM_ENV_BLACKLIST);
 		free_pam_environment(p);
 	}
 #endif /* USE_PAM */
author	Damien Miller <djm@mindrot.org>	2018-12-07 15:41:16 +1100
committer	Damien Miller <djm@mindrot.org>	2018-12-14 13:23:48 +1100
commit	8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree	4d8caa21acbf05e580e393d2f031bcd3bce873e1 /session.c
parent	a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)
download	openssh-git-8a22ffaa13391cfe5b40316d938fe0fb931e9296.tar.gz