*/
#include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.113 2002/07/30 17:03:55 markus Exp $");
#if defined(KRB4)
#include <krb.h>
options->kbd_interactive_authentication = -1;
options->challenge_response_authentication = -1;
options->permit_empty_passwd = -1;
+ options->permit_user_env = -1;
options->use_login = -1;
options->compression = -1;
options->allow_tcp_forwarding = -1;
options->challenge_response_authentication = 1;
if (options->permit_empty_passwd == -1)
options->permit_empty_passwd = 0;
+ if (options->permit_user_env == -1)
+ options->permit_user_env = 0;
if (options->use_login == -1)
options->use_login = 0;
if (options->compression == -1)
sPrintMotd, sPrintLastLog, sIgnoreRhosts,
sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
sStrictModes, sEmptyPasswd, sKeepAlives,
- sUseLogin, sAllowTcpForwarding, sCompression,
+ sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
{ "xauthlocation", sXAuthLocation },
{ "strictmodes", sStrictModes },
{ "permitemptypasswords", sEmptyPasswd },
+ { "permituserenvironment", sPermitUserEnvironment },
{ "uselogin", sUseLogin },
{ "compression", sCompression },
{ "keepalive", sKeepAlives },
intptr = &options->permit_empty_passwd;
goto parse_flag;
+ case sPermitUserEnvironment:
+ intptr = &options->permit_user_env;
+ goto parse_flag;
+
case sUseLogin:
intptr = &options->use_login;
goto parse_flag;
-/* $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $ */
+/* $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $ */
/*
* Author: Tatu Ylonen <ylo@cs.hut.fi>
int challenge_response_authentication;
int permit_empty_passwd; /* If false, do not permit empty
* passwords. */
+ int permit_user_env; /* If true, read ~/.ssh/environment */
int use_login; /* If true, login(1) is used */
int compression; /* If true, compression is allowed */
int allow_tcp_forwarding;
*/
#include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.145 2002/07/22 11:03:06 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.146 2002/07/30 17:03:55 markus Exp $");
#include "ssh.h"
#include "ssh1.h"
auth_sock_name);
/* read $HOME/.ssh/environment. */
- if (!options.use_login) {
+ if (options.permit_user_env && !options.use_login) {
snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
pw->pw_dir);
read_environment_file(&env, &envsize, buf);
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.5 2002/07/09 17:46:25 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.6 2002/07/30 17:03:55 markus Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
If this option is set to
.Dq no
root is not allowed to login.
+.It Cm PermitUserEnvironment
+Specifies whether
+.Pa ~/.ssh/environment
+is read by
+.Nm sshd
+and whether
+.Cm environment=
+options in
+.Pa ~/.ssh/authorized_keys
+files are permitted.
+The default is
+.Dq no .
+This option is useful for locked-down installations where
+.Ev LD_PRELOAD
+and suchlike can cause security problems.
.It Cm PidFile
Specifies the file that contains the process ID of the
.Nm sshd