expose $SSH_CONNECTION in the PAM environment

This makes the connection 4-tuple available to PAM modules that wish to use it in decision-making. bz#2741
author: Damien Miller <djm@mindrot.org> 2018-12-07 15:41:16 +1100
committer: Damien Miller <djm@mindrot.org> 2018-12-14 13:23:48 +1100
commit: 8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree: 4d8caa21acbf05e580e393d2f031bcd3bce873e1 /session.c
parent: a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)
1 files changed, 7 insertions, 4 deletions
diff --git a/session.c b/session.c
index a3f0b3562..d2e2fbd74 100644
--- a/session.c
+++ b/session.c
@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell)
                char **p;
                /*
-                 * Don't allow SSH_AUTH_INFO variables posted to PAM to leak
+                 * Don't allow PAM-internal env vars to leak
-                 * back into the environment.
+                 * back into the session environment.
                 */
+#define PAM_ENV_BLACKLIST  "SSH_AUTH_INFO*,SSH_CONNECTION*"
                p = fetch_pam_child_environment();
-                copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+                copy_environment_blacklist(p, &env, &envsize,
+                    PAM_ENV_BLACKLIST);
                free_pam_environment(p);
                p = fetch_pam_environment();
-                copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*");
+                copy_environment_blacklist(p, &env, &envsize,
+                    PAM_ENV_BLACKLIST);
                free_pam_environment(p);
        }
 #endif /* USE_PAM */
author	Damien Miller <djm@mindrot.org>	2018-12-07 15:41:16 +1100
committer	Damien Miller <djm@mindrot.org>	2018-12-14 13:23:48 +1100
commit	8a22ffaa13391cfe5b40316d938fe0fb931e9296 (patch)
tree	4d8caa21acbf05e580e393d2f031bcd3bce873e1 /session.c
parent	a784fa8c7a7b084d63bae82ccfea902131bb45c5 (diff)