Re: ssh_config and sshd_config question



Coleman Kane wrote:
Look at "PermitUserEnvironment yes" in sshd_config.


Well, this does not work with the environment variable exported on the current window, on which a remote secure shell was initiated by a normal user.

However, if I define the variable at ~/.ssh/environment, it worked.

$ grep ENV ~/.ssh/environment
ENVIRONMENT=BATCH_ssh_environment

$ /usr/local/bin/ssh -l dant3 hes-hpc4
Last login: Thu Mar 16 11:44:27 2006 from hes-hpc3
Sun Microsystems Inc. SunOS 5.9 Generic May 2002
========================
dant3: user profile
UID PID PPID C STIME TTY TIME CMD
dant3 27380 27378 0 11:46:22 pts/2 0:00 -ksh
ENVIRONMENT=BATCH_ssh_environment
dant3: End user profile
========================

But, I can not use this "permitUserEnvironment yes" parameter because the attribute of the ENVIRONMENT variable is dynamically set.

Interestingly, this works if a user root initiated the ssh remote login. But not for a normal user.

Any other suggestions?

Regards,

- Chansup

On Wed, Mar 15, 2006 at 11:06:52AM -0500, Chansup Byun wrote:
Hi,

I am trying to send an local environment variable, ENVIRONMENT, to the remote session with the following OpenSSH version.

OpenSSH_4.2p1, OpenSSL 0.9.8a 11 Oct 2005

Following the ssh_config and sshd_config man pages, in order to pass the local environment variable, ENVIRONMENT, I added the following lines to both config files, respectively.

bash-2.05# grep Env /usr/local/etc/ssh_config
SendEnv ENVIRONMENT
bash-2.05# grep Env /usr/local/etc/sshd_config | grep ENVIRONMENT
AcceptEnv ENVIRONMENT

My test showed that it worked fine when I started the remote session as a root. However, if I started the remote session as a normal user, the remote session didn't get the local environment variable.

Is this a bug or a feature?
Is there a way to make this work for normal users?

Here're my test results:

bash-2.05# export ENVIRONMENT=BATCH_root
bash-2.05# echo $ENVIRONMENT
BATCH_root
bash-2.05# /usr/local/bin/ssh -l dant3 hes-hpc3
dant3@hes-hpc3's password:
Last login: Wed Mar 15 10:34:44 2006 from hes-hpc4
========================
dant3: user profile
UID PID PPID C STIME TTY TIME CMD
dant3 863 861 0 10:51:08 pts/3 0:00 -ksh
ENVIRONMENT=BATCH_root
dant3: End user profile
========================

Start remote session a normal user:

$ export ENVIRONMENT=BATCH_dant3
$ echo $ENVIRONMENT
BATCH_dant3
$ /usr/local/bin/ssh -l dant3 hes-hpc3
Last login: Wed Mar 15 10:51:07 2006 from hes-hpc3
========================
dant3: user profile
UID PID PPID C STIME TTY TIME CMD
dant3 898 893 0 10:53:27 pts/4 0:00 -ksh
ENVIRONMENT=
dant3: End user profile
========================


Thanks,

- Chansup



Relevant Pages

  • RE: Migrating local user profiles with ADMT
    ... I built the similar environment and followed your steps to test the result. ... Source domain: windows server 2000 ... I have successfully migrated user profile by security translation wizard. ... Please migrate user profile before migrating workstation to ...
    (microsoft.public.windows.server.migration)
  • Re: Cannot run a command process from a Windows Service
    ... they have no access to the logon user profile nor do they have access to ... explicitly load the user profile using the Win32 "LoadUserProfile" ... they have their own environment block associated with the process. ... therefore I suggest you to find an alternative for a windows service. ...
    (microsoft.public.dotnet.languages.csharp)
  • Re: ssh_config and sshd_config question
    ... I am trying to send an local environment variable, ENVIRONMENT, to the ... My test showed that it worked fine when I started the remote session as ... dant3: End user profile ...
    (SSH)
  • ssh_config and sshd_config question
    ... I am trying to send an local environment variable, ENVIRONMENT, to the remote session with the following OpenSSH version. ... dant3: End user profile ...
    (SSH)
  • [UNIX] ATP HTTP Daemon Buffer Overflow
    ... A security vulnerability in the product allows remote ... NULL char to the end of the string. ... int start_byte; ... of buffer's string (without any environment variables except '_')! ...
    (Securiteam)