- markus@cvs.openbsd.org 2002/07/30 17:03:55

[auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
     add PermitUserEnvironment (off by default!); from dot@dotat.at;
     ok provos, deraadt

ChangeLog

@@ -18,6 +18,10 @@
    - markus@cvs.openbsd.org 2002/07/29 18:57:30
      [sshconnect.c]
      print file:line
+   - markus@cvs.openbsd.org 2002/07/30 17:03:55
+     [auth-options.c servconf.c servconf.h session.c sshd_config sshd_config.5]
+     add PermitUserEnvironment (off by default!); from dot@dotat.at;
+     ok provos, deraadt
 
 20020730
  - (bal) [uidswap.c] SCO compile correction by gert@greenie.muc.de
@@ -1486,4 +1490,4 @@
  - (stevesk) entropy.c: typo in debug message
  - (djm) ssh-keygen -i needs seeded RNG; report from markus@
 
-$Id: ChangeLog,v 1.2412 2002/08/01 01:26:29 mouring Exp $
+$Id: ChangeLog,v 1.2413 2002/08/01 01:28:38 mouring Exp $

auth-options.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: auth-options.c,v 1.25 2002/07/21 18:32:20 stevesk Exp $");
+RCSID("$OpenBSD: auth-options.c,v 1.26 2002/07/30 17:03:55 markus Exp $");
 
 #include "xmalloc.h"
 #include "match.h"
@@ -133,7 +133,8 @@ auth_parse_options(struct passwd *pw, char *opts, char *file, u_long linenum)
 			goto next_option;
 		}
 		cp = "environment=\"";
-		if (strncasecmp(opts, cp, strlen(cp)) == 0) {
+		if (options.permit_user_env &&
+		    strncasecmp(opts, cp, strlen(cp)) == 0) {
 			char *s;
 			struct envstring *new_envstring;
 

servconf.c

@@ -10,7 +10,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: servconf.c,v 1.112 2002/06/23 09:46:51 deraadt Exp $");
+RCSID("$OpenBSD: servconf.c,v 1.113 2002/07/30 17:03:55 markus Exp $");
 
 #if defined(KRB4)
 #include <krb.h>
@@ -101,6 +101,7 @@ initialize_server_options(ServerOptions *options)
 	options->kbd_interactive_authentication = -1;
 	options->challenge_response_authentication = -1;
 	options->permit_empty_passwd = -1;
+	options->permit_user_env = -1;
 	options->use_login = -1;
 	options->compression = -1;
 	options->allow_tcp_forwarding = -1;
@@ -223,6 +224,8 @@ fill_default_server_options(ServerOptions *options)
 		options->challenge_response_authentication = 1;
 	if (options->permit_empty_passwd == -1)
 		options->permit_empty_passwd = 0;
+	if (options->permit_user_env == -1)
+		options->permit_user_env = 0;
 	if (options->use_login == -1)
 		options->use_login = 0;
 	if (options->compression == -1)
@@ -291,7 +294,7 @@ typedef enum {
 	sPrintMotd, sPrintLastLog, sIgnoreRhosts,
 	sX11Forwarding, sX11DisplayOffset, sX11UseLocalhost,
 	sStrictModes, sEmptyPasswd, sKeepAlives,
-	sUseLogin, sAllowTcpForwarding, sCompression,
+	sPermitUserEnvironment, sUseLogin, sAllowTcpForwarding, sCompression,
 	sAllowUsers, sDenyUsers, sAllowGroups, sDenyGroups,
 	sIgnoreUserKnownHosts, sCiphers, sMacs, sProtocol, sPidFile,
 	sGatewayPorts, sPubkeyAuthentication, sXAuthLocation, sSubsystem, sMaxStartups,
@@ -354,6 +357,7 @@ static struct {
 	{ "xauthlocation", sXAuthLocation },
 	{ "strictmodes", sStrictModes },
 	{ "permitemptypasswords", sEmptyPasswd },
+	{ "permituserenvironment", sPermitUserEnvironment },
 	{ "uselogin", sUseLogin },
 	{ "compression", sCompression },
 	{ "keepalive", sKeepAlives },
@@ -713,6 +717,10 @@ parse_flag:
 		intptr = &options->permit_empty_passwd;
 		goto parse_flag;
 
+	case sPermitUserEnvironment:
+		intptr = &options->permit_user_env;
+		goto parse_flag;
+
 	case sUseLogin:
 		intptr = &options->use_login;
 		goto parse_flag;

servconf.h

@@ -1,4 +1,4 @@
-/*	$OpenBSD: servconf.h,v 1.58 2002/06/20 23:05:55 markus Exp $	*/
+/*	$OpenBSD: servconf.h,v 1.59 2002/07/30 17:03:55 markus Exp $	*/
 
 /*
  * Author: Tatu Ylonen <ylo@cs.hut.fi>
@@ -97,6 +97,7 @@ typedef struct {
 	int     challenge_response_authentication;
 	int     permit_empty_passwd;	/* If false, do not permit empty
 					 * passwords. */
+	int     permit_user_env;	/* If true, read ~/.ssh/environment */
 	int     use_login;	/* If true, login(1) is used */
 	int     compression;	/* If true, compression is allowed */
 	int	allow_tcp_forwarding;

session.c

@@ -33,7 +33,7 @@
  */
 
 #include "includes.h"
-RCSID("$OpenBSD: session.c,v 1.145 2002/07/22 11:03:06 markus Exp $");
+RCSID("$OpenBSD: session.c,v 1.146 2002/07/30 17:03:55 markus Exp $");
 
 #include "ssh.h"
 #include "ssh1.h"
@@ -1065,7 +1065,7 @@ do_setup_env(Session *s, const char *shell)
 		    auth_sock_name);
 
 	/* read $HOME/.ssh/environment. */
-	if (!options.use_login) {
+	if (options.permit_user_env && !options.use_login) {
 		snprintf(buf, sizeof buf, "%.200s/.ssh/environment",
 		    pw->pw_dir);
 		read_environment_file(&env, &envsize, buf);

sshd_config

@@ -1,4 +1,4 @@
-#	$OpenBSD: sshd_config,v 1.56 2002/06/20 23:37:12 markus Exp $
+#	$OpenBSD: sshd_config,v 1.57 2002/07/30 17:03:55 markus Exp $
 
 # This is the sshd server system-wide configuration file.  See
 # sshd_config(5) for more information.
@@ -81,6 +81,7 @@
 #KeepAlive yes
 #UseLogin no
 #UsePrivilegeSeparation yes
+#PermitUserEnvironment no
 #Compression yes
 
 #MaxStartups 10

sshd_config.5

@@ -34,7 +34,7 @@
 .\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
 .\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
 .\"
-.\" $OpenBSD: sshd_config.5,v 1.5 2002/07/09 17:46:25 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.6 2002/07/30 17:03:55 markus Exp $
 .Dd September 25, 1999
 .Dt SSHD_CONFIG 5
 .Os
@@ -465,6 +465,21 @@ for root.
 If this option is set to
 .Dq no
 root is not allowed to login.
+.It Cm PermitUserEnvironment
+Specifies whether
+.Pa ~/.ssh/environment
+is read by
+.Nm sshd
+and whether
+.Cm environment=
+options in
+.Pa ~/.ssh/authorized_keys
+files are permitted.
+The default is
+.Dq no .
+This option is useful for locked-down installations where
+.Ev LD_PRELOAD
+and suchlike can cause security problems.
 .It Cm PidFile
 Specifies the file that contains the process ID of the
 .Nm sshd