diff options
author | Damien Miller <djm@mindrot.org> | 2018-12-07 15:41:16 +1100 |
---|---|---|
committer | Damien Miller <djm@mindrot.org> | 2018-12-14 13:23:48 +1100 |
commit | 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch) | |
tree | 4d8caa21acbf05e580e393d2f031bcd3bce873e1 /session.c | |
parent | a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff) | |
download | openssh-git-8a22ffaa13391cfe5b40316d938fe0fb931e9296.tar.gz |
expose $SSH_CONNECTION in the PAM environment
This makes the connection 4-tuple available to PAM modules that
wish to use it in decision-making. bz#2741
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 11 |
1 files changed, 7 insertions, 4 deletions
@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) char **p; /* - * Don't allow SSH_AUTH_INFO variables posted to PAM to leak - * back into the environment. + * Don't allow PAM-internal env vars to leak + * back into the session environment. */ +#define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*" p = fetch_pam_child_environment(); - copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); + copy_environment_blacklist(p, &env, &envsize, + PAM_ENV_BLACKLIST); free_pam_environment(p); p = fetch_pam_environment(); - copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); + copy_environment_blacklist(p, &env, &envsize, + PAM_ENV_BLACKLIST); free_pam_environment(p); } #endif /* USE_PAM */ |