diff options
-rw-r--r-- | servconf.c | 20 | ||||
-rw-r--r-- | servconf.h | 4 | ||||
-rw-r--r-- | session.c | 15 | ||||
-rw-r--r-- | sshd_config.5 | 18 |
4 files changed, 51 insertions, 6 deletions
diff --git a/servconf.c b/servconf.c index f55b66736..6e70e6312 100644 --- a/servconf.c +++ b/servconf.c | |||
@@ -1,5 +1,5 @@ | |||
1 | 1 | ||
2 | /* $OpenBSD: servconf.c,v 1.331 2018/06/06 18:29:18 markus Exp $ */ | 2 | /* $OpenBSD: servconf.c,v 1.332 2018/06/09 03:03:10 djm Exp $ */ |
3 | /* | 3 | /* |
4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 4 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
5 | * All rights reserved | 5 | * All rights reserved |
@@ -158,6 +158,7 @@ initialize_server_options(ServerOptions *options) | |||
158 | options->client_alive_count_max = -1; | 158 | options->client_alive_count_max = -1; |
159 | options->num_authkeys_files = 0; | 159 | options->num_authkeys_files = 0; |
160 | options->num_accept_env = 0; | 160 | options->num_accept_env = 0; |
161 | options->num_setenv = 0; | ||
161 | options->permit_tun = -1; | 162 | options->permit_tun = -1; |
162 | options->permitted_opens = NULL; | 163 | options->permitted_opens = NULL; |
163 | options->permitted_listens = NULL; | 164 | options->permitted_listens = NULL; |
@@ -462,7 +463,7 @@ typedef enum { | |||
462 | sHostKeyAlgorithms, | 463 | sHostKeyAlgorithms, |
463 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, | 464 | sClientAliveInterval, sClientAliveCountMax, sAuthorizedKeysFile, |
464 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, | 465 | sGssAuthentication, sGssCleanupCreds, sGssStrictAcceptor, |
465 | sAcceptEnv, sPermitTunnel, | 466 | sAcceptEnv, sSetEnv, sPermitTunnel, |
466 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, | 467 | sMatch, sPermitOpen, sPermitListen, sForceCommand, sChrootDirectory, |
467 | sUsePrivilegeSeparation, sAllowAgentForwarding, | 468 | sUsePrivilegeSeparation, sAllowAgentForwarding, |
468 | sHostCertificate, | 469 | sHostCertificate, |
@@ -593,6 +594,7 @@ static struct { | |||
593 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, | 594 | { "authorizedkeysfile2", sDeprecated, SSHCFG_ALL }, |
594 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, | 595 | { "useprivilegeseparation", sDeprecated, SSHCFG_GLOBAL}, |
595 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, | 596 | { "acceptenv", sAcceptEnv, SSHCFG_ALL }, |
597 | { "setenv", sSetEnv, SSHCFG_ALL }, | ||
596 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, | 598 | { "permittunnel", sPermitTunnel, SSHCFG_ALL }, |
597 | { "permittty", sPermitTTY, SSHCFG_ALL }, | 599 | { "permittty", sPermitTTY, SSHCFG_ALL }, |
598 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, | 600 | { "permituserrc", sPermitUserRC, SSHCFG_ALL }, |
@@ -1801,6 +1803,19 @@ process_server_config_line(ServerOptions *options, char *line, | |||
1801 | } | 1803 | } |
1802 | break; | 1804 | break; |
1803 | 1805 | ||
1806 | case sSetEnv: | ||
1807 | uvalue = options->num_setenv; | ||
1808 | while ((arg = strdelimw(&cp)) && *arg != '\0') { | ||
1809 | if (strchr(arg, '=') == NULL) | ||
1810 | fatal("%s line %d: Invalid environment.", | ||
1811 | filename, linenum); | ||
1812 | if (!*activep || uvalue != 0) | ||
1813 | continue; | ||
1814 | array_append(filename, linenum, "SetEnv", | ||
1815 | &options->setenv, &options->num_setenv, arg); | ||
1816 | } | ||
1817 | break; | ||
1818 | |||
1804 | case sPermitTunnel: | 1819 | case sPermitTunnel: |
1805 | intptr = &options->permit_tun; | 1820 | intptr = &options->permit_tun; |
1806 | arg = strdelim(&cp); | 1821 | arg = strdelim(&cp); |
@@ -2562,6 +2577,7 @@ dump_config(ServerOptions *o) | |||
2562 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); | 2577 | dump_cfg_strarray(sAllowGroups, o->num_allow_groups, o->allow_groups); |
2563 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); | 2578 | dump_cfg_strarray(sDenyGroups, o->num_deny_groups, o->deny_groups); |
2564 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); | 2579 | dump_cfg_strarray(sAcceptEnv, o->num_accept_env, o->accept_env); |
2580 | dump_cfg_strarray(sSetEnv, o->num_setenv, o->setenv); | ||
2565 | dump_cfg_strarray_oneline(sAuthenticationMethods, | 2581 | dump_cfg_strarray_oneline(sAuthenticationMethods, |
2566 | o->num_auth_methods, o->auth_methods); | 2582 | o->num_auth_methods, o->auth_methods); |
2567 | 2583 | ||
diff --git a/servconf.h b/servconf.h index 450b94ec4..db8362c60 100644 --- a/servconf.h +++ b/servconf.h | |||
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: servconf.h,v 1.133 2018/06/06 18:23:32 djm Exp $ */ | 1 | /* $OpenBSD: servconf.h,v 1.134 2018/06/09 03:03:10 djm Exp $ */ |
2 | 2 | ||
3 | /* | 3 | /* |
4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> | 4 | * Author: Tatu Ylonen <ylo@cs.hut.fi> |
@@ -154,6 +154,8 @@ typedef struct { | |||
154 | 154 | ||
155 | u_int num_accept_env; | 155 | u_int num_accept_env; |
156 | char **accept_env; | 156 | char **accept_env; |
157 | u_int num_setenv; | ||
158 | char **setenv; | ||
157 | 159 | ||
158 | int max_startups_begin; | 160 | int max_startups_begin; |
159 | int max_startups_rate; | 161 | int max_startups_rate; |
@@ -1,4 +1,4 @@ | |||
1 | /* $OpenBSD: session.c,v 1.299 2018/06/09 02:58:02 djm Exp $ */ | 1 | /* $OpenBSD: session.c,v 1.300 2018/06/09 03:03:10 djm Exp $ */ |
2 | /* | 2 | /* |
3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland | 3 | * Copyright (c) 1995 Tatu Ylonen <ylo@cs.hut.fi>, Espoo, Finland |
4 | * All rights reserved | 4 | * All rights reserved |
@@ -1004,7 +1004,7 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1004 | char buf[256]; | 1004 | char buf[256]; |
1005 | size_t n; | 1005 | size_t n; |
1006 | u_int i, envsize; | 1006 | u_int i, envsize; |
1007 | char *ocp, *cp, **env, *laddr; | 1007 | char *ocp, *cp, *value, **env, *laddr; |
1008 | struct passwd *pw = s->pw; | 1008 | struct passwd *pw = s->pw; |
1009 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) | 1009 | #if !defined (HAVE_LOGIN_CAP) && !defined (HAVE_CYGWIN) |
1010 | char *path = NULL; | 1010 | char *path = NULL; |
@@ -1156,6 +1156,17 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1156 | } | 1156 | } |
1157 | #endif /* USE_PAM */ | 1157 | #endif /* USE_PAM */ |
1158 | 1158 | ||
1159 | /* Environment specified by admin */ | ||
1160 | for (i = 0; i < options.num_setenv; i++) { | ||
1161 | cp = xstrdup(options.setenv[i]); | ||
1162 | if ((value = strchr(cp, '=')) == NULL) { | ||
1163 | /* shouldn't happen; vars are checked in servconf.c */ | ||
1164 | fatal("Invalid config SetEnv: %s", options.setenv[i]); | ||
1165 | } | ||
1166 | *value++ = '\0'; | ||
1167 | child_set_env(&env, &envsize, cp, value); | ||
1168 | } | ||
1169 | |||
1159 | /* SSH_CLIENT deprecated */ | 1170 | /* SSH_CLIENT deprecated */ |
1160 | snprintf(buf, sizeof buf, "%.50s %d %d", | 1171 | snprintf(buf, sizeof buf, "%.50s %d %d", |
1161 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), | 1172 | ssh_remote_ipaddr(ssh), ssh_remote_port(ssh), |
diff --git a/sshd_config.5 b/sshd_config.5 index 395f5f6ac..c62a9c8e9 100644 --- a/sshd_config.5 +++ b/sshd_config.5 | |||
@@ -33,7 +33,7 @@ | |||
33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF | 33 | .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF |
34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. | 34 | .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. |
35 | .\" | 35 | .\" |
36 | .\" $OpenBSD: sshd_config.5,v 1.273 2018/06/09 03:01:12 djm Exp $ | 36 | .\" $OpenBSD: sshd_config.5,v 1.274 2018/06/09 03:03:10 djm Exp $ |
37 | .Dd $Mdocdate: June 9 2018 $ | 37 | .Dd $Mdocdate: June 9 2018 $ |
38 | .Dt SSHD_CONFIG 5 | 38 | .Dt SSHD_CONFIG 5 |
39 | .Os | 39 | .Os |
@@ -1138,6 +1138,7 @@ Available keywords are | |||
1138 | .Cm RekeyLimit , | 1138 | .Cm RekeyLimit , |
1139 | .Cm RevokedKeys , | 1139 | .Cm RevokedKeys , |
1140 | .Cm RDomain , | 1140 | .Cm RDomain , |
1141 | .Cm SetEnv , | ||
1141 | .Cm StreamLocalBindMask , | 1142 | .Cm StreamLocalBindMask , |
1142 | .Cm StreamLocalBindUnlink , | 1143 | .Cm StreamLocalBindUnlink , |
1143 | .Cm TrustedUserCAKeys , | 1144 | .Cm TrustedUserCAKeys , |
@@ -1445,6 +1446,21 @@ will be bound to this | |||
1445 | If the routing domain is set to | 1446 | If the routing domain is set to |
1446 | .Cm \&%D , | 1447 | .Cm \&%D , |
1447 | then the domain in which the incoming connection was received will be applied. | 1448 | then the domain in which the incoming connection was received will be applied. |
1449 | .It Cm SetEnv | ||
1450 | Specifies one or more environment variables to set in child sessions started | ||
1451 | by | ||
1452 | .Xr sshd 8 | ||
1453 | as | ||
1454 | .Dq NAME=VALUE . | ||
1455 | The environment value may be quoted (e.g. if it contains whitespace | ||
1456 | characters). | ||
1457 | Environment variables set by | ||
1458 | .Cm SetEnv | ||
1459 | override the default environment and any variables specified by the user | ||
1460 | via | ||
1461 | .Cm AcceptEnv | ||
1462 | or | ||
1463 | .Cm PermitUserEnvironment . | ||
1448 | .It Cm StreamLocalBindMask | 1464 | .It Cm StreamLocalBindMask |
1449 | Sets the octal file creation mode mask | 1465 | Sets the octal file creation mode mask |
1450 | .Pq umask | 1466 | .Pq umask |