diff options
| -rw-r--r-- | servconf.c | 20 | ||||
| -rw-r--r-- | servconf.h | 4 | ||||
| -rw-r--r-- | session.c | 15 | ||||
| -rw-r--r-- | sshd_config.5 | 18 |
4 files changed, 51 insertions, 6 deletions
diff --git a/servconf.c b/servconf.c index f55b66736..6e70e6312 100644 --- a/servconf.c +++ b/servconf.c | |||
| @@ -1,5 +1,5 @@ | |||
| 1 | 1 | ||
| 2 | /* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ |
| 3 | /* | 3 | /* |
| 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 5 | * All rights reserved | 5 | * All rights reserved |
| @@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) | |||
| 158 | options->client_alive_count_max = -1; | 158 | options->client_alive_count_max = -1; |
| 159 | options->num_authkeys_files = 0; | 159 | options->num_authkeys_files = 0; |
| 160 | options->num_accept_env = 0; | 160 | options->num_accept_env = 0; |
| 161 | options->num_setenv = 0; | ||
| 161 | options->permit_tun = -1; | 162 | options->permit_tun = -1; |
| 162 | options->permitted_opens = NULL; | 163 | options->permitted_opens = NULL; |
| 163 | options->permitted_listens = NULL; | 164 | options->permitted_listens = NULL; |
| @@ -462,7 +463,7 @@ typedef enum { | |||
| 462 | sHostKeyAlgorithms, | 463 | sHostKeyAlgorithms, |
| 463 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 464 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
| 464 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 465 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
| 465 | sAcceptEnv, sPermitTunnel, | 466 | sAcceptEnv, sSetEnv, sPermitTunnel, |
| 466 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, | 467 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
| 467 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 468 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
| 468 | sHostCertificate, | 469 | sHostCertificate, |
| @@ -593,6 +594,7 @@ static struct { | |||
| 593 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 594 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
| 594 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, | 595 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, |
| 595 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 596 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
| 597 | { "setenv", sSetEnv, SSHCFG_ALL }, | ||
| 596 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 598 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
| 597 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 599 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
| 598 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, | 600 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, |
| @@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line, | |||
| 1801 | } | 1803 | } |
| 1802 | break; | 1804 | break; |
| 1803 | 1805 | ||
| 1806 | case sSetEnv: | ||
| 1807 | uvalue = options->num_setenv; | ||
| 1808 | while ((arg = strdelimw(&cp)) && *arg != '\0') { | ||
| 1809 | if (strchr(arg, '=') == NULL) | ||
| 1810 | fatal("%s line %d: Invalid environment.", | ||
| 1811 | filename, linenum); | ||
| 1812 | if (!*activep || uvalue != 0) | ||
| 1813 | continue; | ||
| 1814 | array_append(filename, linenum, "SetEnv", | ||
| 1815 | &options->setenv, &options->num_setenv, arg); | ||
| 1816 | } | ||
| 1817 | break; | ||
| 1818 | |||
| 1804 | case sPermitTunnel: | 1819 | case sPermitTunnel: |
| 1805 | intptr = &options->permit_tun; | 1820 | intptr = &options->permit_tun; |
| 1806 | arg = strdelim(&cp); | 1821 | arg = strdelim(&cp); |
| @@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o) | |||
| 2562 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 2577 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |
| 2563 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); | 2578 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); |
| 2564 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); | 2579 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); |
| 2580 | dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv); | ||
| 2565 | dump_cfg_strarray_oneline(sAuthenticationMethods, | 2581 | dump_cfg_strarray_oneline(sAuthenticationMethods, |
| 2566 | o->num_auth_methods, o->auth_methods); | 2582 | o->num_auth_methods, o->auth_methods); |
| 2567 | 2583 | ||
diff --git a/servconf.h b/servconf.h index 450b94ec4..db8362c60 100644 --- a/servconf.h +++ b/servconf.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: servconf.h,v 1.133 2018/06/06 18:23:32 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */ |
| 2 | 2 | ||
| 3 | /* | 3 | /* |
| 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
| @@ -154,6 +154,8 @@ typedef struct { | |||
| 154 | 154 | ||
| 155 | u_int num_accept_env; | 155 | u_int num_accept_env; |
| 156 | char **accept_env; | 156 | char **accept_env; |
| 157 | u_int num_setenv; | ||
| 158 | char **setenv; | ||
| 157 | 159 | ||
| 158 | int max_startups_begin; | 160 | int max_startups_begin; |
| 159 | int max_startups_rate; | 161 | int max_startups_rate; |
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: session.c,v 1.299 2018/06/09 02:58:02 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
| 4 | * All rights reserved | 4 | * All rights reserved |
| @@ -1004,7 +1004,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1004 | char buf[256]; | 1004 | char buf[256]; |
| 1005 | size_t n; | 1005 | size_t n; |
| 1006 | u_int i, envsize; | 1006 | u_int i, envsize; |
| 1007 | char *ocp, *cp, **env, *laddr; | 1007 | char *ocp, *cp, *value, **env, *laddr; |
| 1008 | struct passwd *pw = s->pw; | 1008 | struct passwd *pw = s->pw; |
| 1009 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 1009 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
| 1010 | char *path = NULL; | 1010 | char *path = NULL; |
| @@ -1156,6 +1156,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
| 1156 | } | 1156 | } |
| 1157 | #endif /* USE_PAM */ | 1157 | #endif /* USE_PAM */ |
| 1158 | 1158 | ||
| 1159 | /* Environment specified by admin */ | ||
| 1160 | for (i = 0; i < options.num_setenv; i++) { | ||
| 1161 | cp = xstrdup(options.setenv[i]); | ||
| 1162 | if ((value = strchr(cp, '=')) == NULL) { | ||
| 1163 | /* shouldn't happen; vars are checked in servconf.c */ | ||
| 1164 | fatal("Invalid config SetEnv: %s", options.setenv[i]); | ||
| 1165 | } | ||
| 1166 | *value++ = '\0'; | ||
| 1167 | child_set_env(&env, &envsize, cp, value); | ||
| 1168 | } | ||
| 1169 | |||
| 1159 | /* SSH_CLIENT deprecated */ | 1170 | /* SSH_CLIENT deprecated */ |
| 1160 | snprintf(buf, sizeof buf, "%.50s %d %d", | 1171 | snprintf(buf, sizeof buf, "%.50s %d %d", |
| 1161 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | 1172 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), |
diff --git a/sshd_config.5 b/sshd_config.5 index 395f5f6ac..c62a9c8e9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
| @@ -33,7 +33,7 @@ | |||
| 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
| 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
| 35 | .\" | 35 | .\" |
| 36 | .\" $OpenBSD: sshd_config.5,v 1.273 2018/06/09 03:01:12 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.274 2018/06/09 03:03:10 djm Exp $ |
| 37 | .Dd $Mdocdate: June 9 2018 $ | 37 | .Dd $Mdocdate: June 9 2018 $ |
| 38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
| 39 | .Os | 39 | .Os |
| @@ -1138,6 +1138,7 @@ Available keywords are | |||
| 1138 | .Cm RekeyLimit , | 1138 | .Cm RekeyLimit , |
| 1139 | .Cm RevokedKeys , | 1139 | .Cm RevokedKeys , |
| 1140 | .Cm RDomain , | 1140 | .Cm RDomain , |
| 1141 | .Cm SetEnv , | ||
| 1141 | .Cm StreamLocalBindMask , | 1142 | .Cm StreamLocalBindMask , |
| 1142 | .Cm StreamLocalBindUnlink , | 1143 | .Cm StreamLocalBindUnlink , |
| 1143 | .Cm TrustedUserCAKeys , | 1144 | .Cm TrustedUserCAKeys , |
| @@ -1445,6 +1446,21 @@ will be bound to this | |||
| 1445 | If the routing domain is set to | 1446 | If the routing domain is set to |
| 1446 | .Cm \&%D , | 1447 | .Cm \&%D , |
| 1447 | then the domain in which the incoming connection was received will be applied. | 1448 | then the domain in which the incoming connection was received will be applied. |
| 1449 | .It Cm SetEnv | ||
| 1450 | Specifies one or more environment variables to set in child sessions started | ||
| 1451 | by | ||
| 1452 | .Xr sshd 8 | ||
| 1453 | as | ||
| 1454 | .Dq NAME=VALUE . | ||
| 1455 | The environment value may be quoted (e.g. if it contains whitespace | ||
| 1456 | characters). | ||
| 1457 | Environment variables set by | ||
| 1458 | .Cm SetEnv | ||
| 1459 | override the default environment and any variables specified by the user | ||
| 1460 | via | ||
| 1461 | .Cm AcceptEnv | ||
| 1462 | or | ||
| 1463 | .Cm PermitUserEnvironment . | ||
| 1448 | .It Cm StreamLocalBindMask | 1464 | .It Cm StreamLocalBindMask |
| 1449 | Sets the octal file creation mode mask | 1465 | Sets the octal file creation mode mask |
| 1450 | .Pq umask | 1466 | .Pq umask |