diff options
Diffstat (limited to 'session.c')
-rw-r--r-- | session.c | 11 |
1 files changed, 7 insertions, 4 deletions
@@ -1162,15 +1162,18 @@ do_setup_env(struct ssh *ssh, Session *s, const char *shell) | |||
1162 | char **p; | 1162 | char **p; |
1163 | 1163 | ||
1164 | /* | 1164 | /* |
1165 | * Don't allow SSH_AUTH_INFO variables posted to PAM to leak | 1165 | * Don't allow PAM-internal env vars to leak |
1166 | * back into the environment. | 1166 | * back into the session environment. |
1167 | */ | 1167 | */ |
1168 | #define PAM_ENV_BLACKLIST "SSH_AUTH_INFO*,SSH_CONNECTION*" | ||
1168 | p = fetch_pam_child_environment(); | 1169 | p = fetch_pam_child_environment(); |
1169 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); | 1170 | copy_environment_blacklist(p, &env, &envsize, |
1171 | PAM_ENV_BLACKLIST); | ||
1170 | free_pam_environment(p); | 1172 | free_pam_environment(p); |
1171 | 1173 | ||
1172 | p = fetch_pam_environment(); | 1174 | p = fetch_pam_environment(); |
1173 | copy_environment_blacklist(p, &env, &envsize, "SSH_AUTH_INFO*"); | 1175 | copy_environment_blacklist(p, &env, &envsize, |
1176 | PAM_ENV_BLACKLIST); | ||
1174 | free_pam_environment(p); | 1177 | free_pam_environment(p); |
1175 | } | 1178 | } |
1176 | #endif /* USE_PAM */ | 1179 | #endif /* USE_PAM */ |