diff options
-rw-r--r-- | servconf.c | 20 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | session.c | 15 | ||||
-rw-r--r-- | sshd_config.5 | 18 |
4 files changed, 51 insertions, 6 deletions
@@ -1,5 +1,5 @@ -/* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */ +/* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) options->client_alive_count_max = -1; options->num_authkeys_files = 0; options->num_accept_env = 0; + options->num_setenv = 0; options->permit_tun = -1; options->permitted_opens = NULL; options->permitted_listens = NULL; @@ -462,7 +463,7 @@ typedef enum { sHostKeyAlgorithms, sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, - sAcceptEnv, sPermitTunnel, + sAcceptEnv, sSetEnv, sPermitTunnel, sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, sUsePrivilegeSeparation, sAllowAgentForwarding, sHostCertificate, @@ -593,6 +594,7 @@ static struct { { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, { "acceptenv", sAcceptEnv, SSHCFG_ALL }, + { "setenv", sSetEnv, SSHCFG_ALL }, { "permittunnel", sPermitTunnel, SSHCFG_ALL }, { "permittty", sPermitTTY, SSHCFG_ALL }, { "permituserrc", sPermitUserRC, SSHCFG_ALL }, @@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line, } break; + case sSetEnv: + uvalue = options->num_setenv; + while ((arg = strdelimw(&cp)) && *arg != '\0') { + if (strchr(arg, '=') == NULL) + fatal("%s line %d: Invalid environment.", + filename, linenum); + if (!*activep || uvalue != 0) + continue; + array_append(filename, linenum, "SetEnv", + &options->setenv, &options->num_setenv, arg); + } + break; + case sPermitTunnel: intptr = &options->permit_tun; arg = strdelim(&cp); @@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o) dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); + dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv); dump_cfg_strarray_oneline(sAuthenticationMethods, o->num_auth_methods, o->auth_methods); @@ -1,4 +1,4 @@ -/* $OpenBSD: servconf.h,v 1.133 2018/06/06 18:23:32 djm Exp $ */ +/* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */ /* * Author: Tatu Ylonen <ylo@cs.hut.fi> @@ -154,6 +154,8 @@ typedef struct { u_int num_accept_env; char **accept_env; + u_int num_setenv; + char **setenv; int max_startups_begin; int max_startups_rate; @@ -1,4 +1,4 @@ -/* $OpenBSD: session.c,v 1.299 2018/06/09 02:58:02 djm Exp $ */ +/* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */ /* * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland * All rights reserved @@ -1004,7 +1004,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) char buf[256]; size_t n; u_int i, envsize; - char *ocp, *cp, **env, *laddr; + char *ocp, *cp, *value, **env, *laddr; struct passwd *pw = s->pw; #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) char *path = NULL; @@ -1156,6 +1156,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) } #endif /* USE_PAM */ + /* Environment specified by admin */ + for (i = 0; i < options.num_setenv; i++) { + cp = xstrdup(options.setenv[i]); + if ((value = strchr(cp, '=')) == NULL) { + /* shouldn't happen; vars are checked in servconf.c */ + fatal("Invalid config SetEnv: %s", options.setenv[i]); + } + *value++ = '\0'; + child_set_env(&env, &envsize, cp, value); + } + /* SSH_CLIENT deprecated */ snprintf(buf, sizeof buf, "%.50s %d %d", ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), diff --git a/sshd_config.5 b/sshd_config.5 index 395f5f6a..c62a9c8e 100644 --- a/sshd_config.5 +++ b/sshd_config.5 @@ -33,7 +33,7 @@ .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. .\" -.\" $OpenBSD: sshd_config.5,v 1.273 2018/06/09 03:01:12 djm Exp $ +.\" $OpenBSD: sshd_config.5,v 1.274 2018/06/09 03:03:10 djm Exp $ .Dd $Mdocdate: June 9 2018 $ .Dt SSHD_CONFIG 5 .Os @@ -1138,6 +1138,7 @@ Available keywords are .Cm RekeyLimit , .Cm RevokedKeys , .Cm RDomain , +.Cm SetEnv , .Cm StreamLocalBindMask , .Cm StreamLocalBindUnlink , .Cm TrustedUserCAKeys , @@ -1445,6 +1446,21 @@ will be bound to this If the routing domain is set to .Cm \&%D , then the domain in which the incoming connection was received will be applied. +.It Cm SetEnv +Specifies one or more environment variables to set in child sessions started +by +.Xr sshd 8 +as +.Dq NAME=VALUE . +The environment value may be quoted (e.g. if it contains whitespace +characters). +Environment variables set by +.Cm SetEnv +override the default environment and any variables specified by the user +via +.Cm AcceptEnv +or +.Cm PermitUserEnvironment . .It Cm StreamLocalBindMask Sets the octal file creation mode mask .Pq umask |