diff options
| author | djm@openbsd.org <djm@openbsd.org> | 2018-06-09 03:03:10 +0000 |
|---|---|---|
| committer | Damien Miller <djm@mindrot.org> | 2018-06-09 13:11:00 +1000 |
| commit | 28013759f09ed3ebf7e8335e83a62936bd7a7f47 (patch) | |
| tree | 11704fdf59dbe3ebfe0151cbe82eb0847e12b420 /servconf.c | |
| parent | 7082bb58a2eb878d23ec674587c742e5e9673c36 (diff) | |
upstream: add a SetEnv directive for sshd_config to allow an
administrator to explicitly specify environment variables set in sessions
started by sshd. These override the default environment and any variables set
by user configuration (PermitUserEnvironment, etc), but not the SSH_*
variables set by sshd itself.
ok markus@
OpenBSD-Commit-ID: b6a96c0001ccd7dd211df6cae9e961c20fd718c0
Diffstat (limited to 'servconf.c')
| -rw-r--r-- | servconf.c | 20 |
1 files changed, 18 insertions, 2 deletions
diff --git a/servconf.c b/servconf.c index f55b66736..6e70e6312 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) | |||
| 158 | options->client_alive_count_max = -1; | 158 | options->client_alive_count_max = -1; |
| 159 | options->num_authkeys_files = 0; | 159 | options->num_authkeys_files = 0; |
| 160 | options->num_accept_env = 0; | 160 | options->num_accept_env = 0; |
| 161 | options->num_setenv = 0; | ||
| 161 | options->permit_tun = -1; | 162 | options->permit_tun = -1; |
| 162 | options->permitted_opens = NULL; | 163 | options->permitted_opens = NULL; |
| 163 | options->permitted_listens = NULL; | 164 | options->permitted_listens = NULL; |
| @@ -462,7 +463,7 @@ typedef enum { | |||
| 462 | sHostKeyAlgorithms, | 463 | sHostKeyAlgorithms, |
| 463 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 464 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
| 464 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 465 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
| 465 | sAcceptEnv, sPermitTunnel, | 466 | sAcceptEnv, sSetEnv, sPermitTunnel, |
| 466 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, | 467 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
| 467 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 468 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 468 | sHostCertificate, | 469 | sHostCertificate, |
| @@ -593,6 +594,7 @@ static struct { | |||
| 593 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 594 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
| 594 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, | 595 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, |
| 595 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 596 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
| 597 | { "setenv", sSetEnv, SSHCFG_ALL }, | ||
| 596 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 598 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
| 597 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 599 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
| 598 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, | 600 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, |
| @@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1801 | } | 1803 | } |
| 1802 | break; | 1804 | break; |
| 1803 | 1805 | ||
| 1806 | case sSetEnv: | ||
| 1807 | uvalue = options->num_setenv; | ||
| 1808 | while ((arg = strdelimw(&cp)) && *arg != '\0') { | ||
| 1809 | if (strchr(arg, '=') == NULL) | ||
| 1810 | fatal("%s line %d: Invalid environment.", | ||
| 1811 | filename, linenum); | ||
| 1812 | if (!*activep || uvalue != 0) | ||
| 1813 | continue; | ||
| 1814 | array_append(filename, linenum, "SetEnv", | ||
| 1815 | &options->setenv, &options->num_setenv, arg); | ||
| 1816 | } | ||
| 1817 | break; | ||
| 1818 | |||
| 1804 | case sPermitTunnel: | 1819 | case sPermitTunnel: |
| 1805 | intptr = &options->permit_tun; | 1820 | intptr = &options->permit_tun; |
| 1806 | arg = strdelim(&cp); | 1821 | arg = strdelim(&cp); |
| @@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o) | |||
| 2562 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 2577 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |
| 2563 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); | 2578 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); |
| 2564 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); | 2579 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); |
| 2580 | dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv); | ||
| 2565 | dump_cfg_strarray_oneline(sAuthenticationMethods, | 2581 | dump_cfg_strarray_oneline(sAuthenticationMethods, |
| 2566 | o->num_auth_methods, o->auth_methods); | 2582 | o->num_auth_methods, o->auth_methods); |
| 2567 | 2583 | ||