- markus@cvs.openbsd.org 2002/07/30 17:03:55

     [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
     add PermitUserEnvironment (off by default!); from dot@dotat.at;
     ok provos, deraadt

diff --git a/ChangeLog b/ChangeLog
index e5fa79ee2141d90f2f0fb8c51d07b29cc1c1aca3..7cb22c95295554319914603e7c66d9306c6a3dba 100644 (file)
--- a/ChangeLog
+++ b/ChangeLog
@@ -18,6 +18,10 @@
    - markus@cvs.openbsd.org 2002/07/29 18:57:30
      [sshconnect.c]
      print file:line
+   - markus@cvs.openbsd.org 2002/07/30 17:03:55
+     [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
+     add PermitUserEnvironment (off by default!); from dot@dotat.at;
+     ok provos, deraadt
 
 20020730
  - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de

diff --git a/auth-options.c b/auth-options.c
index 41a29f79cac45aea66b6cdc47f4de53748648b12..8595fdc147d804a688a6fd53a82c919969bec327 100644 (file)
--- a/auth-options.c
+++ b/auth-options.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.25 2002/07/21 18:32:20 stevesk Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $");
 
 #include "xmalloc.h"
 #include "match.h"
@@ -133,7 +133,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
                        goto next_option;
                }
                cp = "environment=\"";
-               if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+               if (options.permit_user_env &&
+                   strncasecmp(opts, cp, strlen(cp)) == 0) {
                        char *s;
                        struct envstring *new_envstring;
 

diff --git a/servconf.c b/servconf.c
index bdf39afb882ef51e1d2df88b99b8f6e35b297d0f..50fccdda88cc537f17e5acac8b03cc7313960e07 100644 (file)
--- a/servconf.c
+++ b/servconf.c
@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.113 2002/07/30 17:03:55 markus Exp $");
 
 #if defined(KRB4)
 #include <krb.h>
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
        options->kbd_interactive_authentication = -1;
        options->challenge_response_authentication = -1;
        options->permit_empty_passwd = -1;
+       options->permit_user_env = -1;
        options->use_login = -1;
        options->compression = -1;
        options->allow_tcp_forwarding = -1;
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
                options->challenge_response_authentication = 1;
        if (options->permit_empty_passwd == -1)
                options->permit_empty_passwd = 0;
+       if (options->permit_user_env == -1)
+               options->permit_user_env = 0;
        if (options->use_login == -1)
                options->use_login = 0;
        if (options->compression == -1)
@@ -291,7 +294,7 @@ typedef enum {
        sPrintMotd, sPrintLastLog, sIgnoreRhosts,
        sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
        sStrictModes, sEmptyPasswd, sKeepAlives,
-       sUseLogin, sAllowTcpForwarding, sCompression,
+       sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
        sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
        sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
        sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
@@ -354,6 +357,7 @@ static struct {
        { "xauthlocation", sXAuthLocation },
        { "strictmodes", sStrictModes },
        { "permitemptypasswords", sEmptyPasswd },
+       { "permituserenvironment", sPermitUserEnvironment },
        { "uselogin", sUseLogin },
        { "compression", sCompression },
        { "keepalive", sKeepAlives },
@@ -713,6 +717,10 @@ parse_flag:
                intptr = &options->permit_empty_passwd;
                goto parse_flag;
 
+       case sPermitUserEnvironment:
+               intptr = &options->permit_user_env;
+               goto parse_flag;
+
        case sUseLogin:
                intptr = &options->use_login;
                goto parse_flag;

diff --git a/servconf.h b/servconf.h
index c94f541d0ccfe46fb00f2c28be1813e5c98a2aa4..024987dd6983cfd8a743115e9451f29a97d6cc9b 100644 (file)
--- a/servconf.h
+++ b/servconf.h
@@ -1,4 +1,4 @@
-/*     $OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $    */
+/*     $OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $    */
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -97,6 +97,7 @@ typedef struct {
        int     challenge_response_authentication;
        int     permit_empty_passwd;    /* If false, do not permit empty
                                         * passwords. */
+       int     permit_user_env;        /* If true, read ~/.ssh/environment */
        int     use_login;      /* If true, login(1) is used */
        int     compression;    /* If true, compression is allowed */
        int     allow_tcp_forwarding;

diff --git a/session.c b/session.c
index e2e30340c817e1f79a9234d287a890a972ecd6f3..f2a1bf015863eba487b20b5959e1b8dd6a28d3c4 100644 (file)
--- a/session.c
+++ b/session.c
@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.145 2002/07/22 11:03:06 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.146 2002/07/30 17:03:55 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *shell)
                    auth_sock_name);
 
        /* read $HOME/.ssh/environment. */
-       if (!options.use_login) {
+       if (options.permit_user_env && !options.use_login) {
                snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
                    pw->pw_dir);
                read_environment_file(&env, &envsize, buf);

diff --git a/sshd_config b/sshd_config
index 24c4e059e2cfdbcb45468092dfc4eab0dee45c12..f20d812ee425e2389981b5d4833e503b29bbb8b2 100644 (file)
--- a/sshd_config
+++ b/sshd_config
@@ -1,4 +1,4 @@
-#      $OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
+#      $OpenBSD: sshd_config,v 1.57 2002/07/30 17:03:55 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -81,6 +81,7 @@
 #KeepAlive yes
 #UseLogin no
 #UsePrivilegeSeparation yes
+#PermitUserEnvironment no
 #Compression yes
 
 #MaxStartups 10

diff --git a/sshd_config.5 b/sshd_config.5
index 6625865efae9379339f0da1d51193057382956e8..f43b2bb9bf3501753fe0d639a5f3b9afbd38131e 100644 (file)
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.5 2002/07/09 17:46:25 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.6 2002/07/30 17:03:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -465,6 +465,21 @@ for root.
 If this option is set to
 .Dq no
 root is not allowed to login.
+.It Cm PermitUserEnvironment
+Specifies whether
+.Pa ~/.ssh/environment
+is read by
+.Nm sshd
+and whether
+.Cm environment=
+options in
+.Pa ~/.ssh/authorized_keys
+files are permitted.
+The default is
+.Dq no .
+This option is useful for locked-down installations where
+.Ev LD_PRELOAD
+and suchlike can cause security problems.
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 .Nm sshd