- stevesk@cvs.openbsd.org 2002/08/12 17:30:35

[ssh.1 sshd.8 sshd_config.5] more PermitUserEnvironment; ok markus@
author: Ben Lindstrom <mouring@eviladmin.org> 2002-08-20 18:54:20 +0000
committer: Ben Lindstrom <mouring@eviladmin.org> 2002-08-20 18:54:20 +0000
commit: bd9bf38b00f14098f51b965ba72a4e8fe5877607 (patch)
tree: 99ae388ad933ae123d8be89ec5f06cdc36dd22f7
parent: 15b6120e633fb1d66fbcbac3d5c7352d79ddbc20 (diff)
4 files changed, 25 insertions, 15 deletions
diff --git a/ChangeLog b/ChangeLog
index 0078cf846..5b291c7bf 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
   - stevesk@cvs.openbsd.org 2002/08/09 17:41:12
     [sshd_config.5]
     proxy vs. fake display
+   - stevesk@cvs.openbsd.org 2002/08/12 17:30:35
+     [ssh.1 sshd.8 sshd_config.5]
+     more PermitUserEnvironment; ok markus@
 20020813
 - (tim) [configure.ac] Display OpenSSL header/library version.
@@ -1527,4 +1530,4 @@
 - (stevesk) entropy.c: typo in debug message
 - (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2422 2002/08/20 18:44:24 mouring Exp $
+$Id: ChangeLog,v 1.2423 2002/08/20 18:54:20 mouring Exp $
diff --git a/ssh.1 b/ssh.1
index 00ebdd4dd..403c6ad65 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: ssh.1,v 1.161 2002/08/02 16:00:07 marc Exp $
+.\" $OpenBSD: ssh.1,v 1.162 2002/08/12 17:30:35 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSH 1
 .Os
@@ -744,9 +744,9 @@ and adds lines of the format
 .Dq VARNAME=value
 to the environment if the file exists and if users are allowed to
 change their environment.
-See
+See the
 .Cm PermitUserEnvironment
-in
+option in
 .Xr sshd_config 5 .
 .Sh FILES
 .Bl -tag -width Ds
diff --git a/sshd.8 b/sshd.8
index a098b43ca..769c74224 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd.8,v 1.187 2002/08/02 16:00:07 marc Exp $
+.\" $OpenBSD: sshd.8,v 1.188 2002/08/12 17:30:35 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD 8
 .Os
@@ -351,9 +351,9 @@ Sets up basic environment.
 Reads
 .Pa $HOME/.ssh/environment
 if it exists and users are allowed to change their environment.
-See
+See the
 .Cm PermitUserEnvironment
-in
+option in
 .Xr sshd_config 5 .
 .It
 Changes to user's home directory.
@@ -462,6 +462,10 @@ logging in using this key.
 Environment variables set this way
 override other default environment values.
 Multiple options of this type are permitted.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
 This option is automatically disabled if
 .Cm UseLogin
 is enabled.
@@ -702,6 +706,10 @@ It can only contain empty lines, comment lines (that start with
 and assignment lines of the form name=value.
 The file should be writable
 only by the user; it need not be readable by anyone else.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
 .It Pa $HOME/.ssh/rc
 If this file exists, it is run with /bin/sh after reading the
 environment files but before starting the user's shell or command.
diff --git a/sshd_config.5 b/sshd_config.5
index fcebbede9..0c799bfe8 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.8 2002/08/09 17:41:12 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.9 2002/08/12 17:30:35 stevesk Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -468,18 +468,17 @@ root is not allowed to login.
 .It Cm PermitUserEnvironment
 Specifies whether
 .Pa ~/.ssh/environment
-is read by
+and
-.Nm sshd
-and whether
 .Cm environment=
 options in
 .Pa ~/.ssh/authorized_keys
-files are permitted.
+are processed by
+.Nm sshd .
 The default is
 .Dq no .
-This option is useful for locked-down installations where
+Enabling environment processing may enable users to bypass access
-.Ev LD_PRELOAD
+restrictions in some configurations using mechanisms such as
-and suchlike can cause security problems.
+.Ev LD_PRELOAD .
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 .Nm sshd
author	Ben Lindstrom <mouring@eviladmin.org>	2002-08-20 18:54:20 +0000
committer	Ben Lindstrom <mouring@eviladmin.org>	2002-08-20 18:54:20 +0000
commit	bd9bf38b00f14098f51b965ba72a4e8fe5877607 (patch)
tree	99ae388ad933ae123d8be89ec5f06cdc36dd22f7
parent	15b6120e633fb1d66fbcbac3d5c7352d79ddbc20 (diff)

diff --git a/ChangeLog b/ChangeLog index 0078cf846..5b291c7bf 100644 --- a/ChangeLog +++ b/ChangeLog
@@ -30,6 +30,9 @@
30	- stevesk@cvs.openbsd.org 2002/08/09 17:41:12	30	- stevesk@cvs.openbsd.org 2002/08/09 17:41:12
31	[sshd_config.5]	31	[sshd_config.5]
32	proxy vs. fake display	32	proxy vs. fake display
		33	- stevesk@cvs.openbsd.org 2002/08/12 17:30:35
		34	[ssh.1 sshd.8 sshd_config.5]
		35	more PermitUserEnvironment; ok markus@
33		36
34	20020813	37	20020813
35	- (tim) [configure.ac] Display OpenSSL header/library version.	38	- (tim) [configure.ac] Display OpenSSL header/library version.
@@ -1527,4 +1530,4 @@
1527	- (stevesk) entropy.c: typo in debug message	1530	- (stevesk) entropy.c: typo in debug message
1528	- (djm) ssh-keygen -i needs seeded RNG; report from markus@	1531	- (djm) ssh-keygen -i needs seeded RNG; report from markus@
1529		1532
1530	$Id: ChangeLog,v 1.2422 2002/08/20 18:44:24 mouring Exp $	1533	$Id: ChangeLog,v 1.2423 2002/08/20 18:54:20 mouring Exp $


diff --git a/ssh.1 b/ssh.1 index 00ebdd4dd..403c6ad65 100644 --- a/ssh.1 +++ b/ssh.1
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: ssh.1,v 1.161 2002/08/02 16:00:07 marc Exp $	37	.\" $OpenBSD: ssh.1,v 1.162 2002/08/12 17:30:35 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSH 1	39	.Dt SSH 1
40	.Os	40	.Os
@@ -744,9 +744,9 @@ and adds lines of the format
744	.Dq VARNAME=value	744	.Dq VARNAME=value
745	to the environment if the file exists and if users are allowed to	745	to the environment if the file exists and if users are allowed to
746	change their environment.	746	change their environment.
747	See	747	See the
748	.Cm PermitUserEnvironment	748	.Cm PermitUserEnvironment
749	in	749	option in
750	.Xr sshd_config 5 .	750	.Xr sshd_config 5 .
751	.Sh FILES	751	.Sh FILES
752	.Bl -tag -width Ds	752	.Bl -tag -width Ds


diff --git a/sshd.8 b/sshd.8 index a098b43ca..769c74224 100644 --- a/sshd.8 +++ b/sshd.8
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd.8,v 1.187 2002/08/02 16:00:07 marc Exp $	37	.\" $OpenBSD: sshd.8,v 1.188 2002/08/12 17:30:35 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD 8	39	.Dt SSHD 8
40	.Os	40	.Os
@@ -351,9 +351,9 @@ Sets up basic environment.
351	Reads	351	Reads
352	.Pa $HOME/.ssh/environment	352	.Pa $HOME/.ssh/environment
353	if it exists and users are allowed to change their environment.	353	if it exists and users are allowed to change their environment.
354	See	354	See the
355	.Cm PermitUserEnvironment	355	.Cm PermitUserEnvironment
356	in	356	option in
357	.Xr sshd_config 5 .	357	.Xr sshd_config 5 .
358	.It	358	.It
359	Changes to user's home directory.	359	Changes to user's home directory.
@@ -462,6 +462,10 @@ logging in using this key.
462	Environment variables set this way	462	Environment variables set this way
463	override other default environment values.	463	override other default environment values.
464	Multiple options of this type are permitted.	464	Multiple options of this type are permitted.
		465	Environment processing is disabled by default and is
		466	controlled via the
		467	.Cm PermitUserEnvironment
		468	option.
465	This option is automatically disabled if	469	This option is automatically disabled if
466	.Cm UseLogin	470	.Cm UseLogin
467	is enabled.	471	is enabled.
@@ -702,6 +706,10 @@ It can only contain empty lines, comment lines (that start with
702	and assignment lines of the form name=value.	706	and assignment lines of the form name=value.
703	The file should be writable	707	The file should be writable
704	only by the user; it need not be readable by anyone else.	708	only by the user; it need not be readable by anyone else.
		709	Environment processing is disabled by default and is
		710	controlled via the
		711	.Cm PermitUserEnvironment
		712	option.
705	.It Pa $HOME/.ssh/rc	713	.It Pa $HOME/.ssh/rc
706	If this file exists, it is run with /bin/sh after reading the	714	If this file exists, it is run with /bin/sh after reading the
707	environment files but before starting the user's shell or command.	715	environment files but before starting the user's shell or command.


diff --git a/sshd_config.5 b/sshd_config.5 index fcebbede9..0c799bfe8 100644 --- a/sshd_config.5 +++ b/sshd_config.5
@@ -34,7 +34,7 @@
34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF	34	.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.	35	.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
36	.\"	36	.\"
37	.\" $OpenBSD: sshd_config.5,v 1.8 2002/08/09 17:41:12 stevesk Exp $	37	.\" $OpenBSD: sshd_config.5,v 1.9 2002/08/12 17:30:35 stevesk Exp $
38	.Dd September 25, 1999	38	.Dd September 25, 1999
39	.Dt SSHD_CONFIG 5	39	.Dt SSHD_CONFIG 5
40	.Os	40	.Os
@@ -468,18 +468,17 @@ root is not allowed to login.
468	.It Cm PermitUserEnvironment	468	.It Cm PermitUserEnvironment
469	Specifies whether	469	Specifies whether
470	.Pa ~/.ssh/environment	470	.Pa ~/.ssh/environment
471	is read by	471	and
472	.Nm sshd
473	and whether
474	.Cm environment=	472	.Cm environment=
475	options in	473	options in
476	.Pa ~/.ssh/authorized_keys	474	.Pa ~/.ssh/authorized_keys
477	files are permitted.	475	are processed by
		476	.Nm sshd .
478	The default is	477	The default is
479	.Dq no .	478	.Dq no .
480	This option is useful for locked-down installations where	479	Enabling environment processing may enable users to bypass access
481	.Ev LD_PRELOAD	480	restrictions in some configurations using mechanisms such as
482	and suchlike can cause security problems.	481	.Ev LD_PRELOAD .
483	.It Cm PidFile	482	.It Cm PidFile
484	Specifies the file that contains the process ID of the	483	Specifies the file that contains the process ID of the
485	.Nm sshd	484	.Nm sshd