- stevesk@cvs.openbsd.org 2002/08/12 17:30:35
[ssh.1 sshd.8 sshd_config.5]
more PermitUserEnvironment; ok markus@
diff --git a/ChangeLog b/ChangeLog
index 0078cf8..5b291c7 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -30,6 +30,9 @@
- stevesk@cvs.openbsd.org 2002/08/09 17:41:12
[sshd_config.5]
proxy vs. fake display
+ - stevesk@cvs.openbsd.org 2002/08/12 17:30:35
+ [ssh.1 sshd.8 sshd_config.5]
+ more PermitUserEnvironment; ok markus@
20020813
- (tim) [configure.ac] Display OpenSSL header/library version.
@@ -1527,4 +1530,4 @@
- (stevesk) entropy.c: typo in debug message
- (djm) ssh-keygen -i needs seeded RNG; report from markus@
-$Id: ChangeLog,v 1.2422 2002/08/20 18:44:24 mouring Exp $
+$Id: ChangeLog,v 1.2423 2002/08/20 18:54:20 mouring Exp $
diff --git a/ssh.1 b/ssh.1
index 00ebdd4..403c6ad 100644
--- a/ssh.1
+++ b/ssh.1
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: ssh.1,v 1.161 2002/08/02 16:00:07 marc Exp $
+.\" $OpenBSD: ssh.1,v 1.162 2002/08/12 17:30:35 stevesk Exp $
.Dd September 25, 1999
.Dt SSH 1
.Os
@@ -744,9 +744,9 @@
.Dq VARNAME=value
to the environment if the file exists and if users are allowed to
change their environment.
-See
+See the
.Cm PermitUserEnvironment
-in
+option in
.Xr sshd_config 5 .
.Sh FILES
.Bl -tag -width Ds
diff --git a/sshd.8 b/sshd.8
index a098b43..769c742 100644
--- a/sshd.8
+++ b/sshd.8
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd.8,v 1.187 2002/08/02 16:00:07 marc Exp $
+.\" $OpenBSD: sshd.8,v 1.188 2002/08/12 17:30:35 stevesk Exp $
.Dd September 25, 1999
.Dt SSHD 8
.Os
@@ -351,9 +351,9 @@
Reads
.Pa $HOME/.ssh/environment
if it exists and users are allowed to change their environment.
-See
+See the
.Cm PermitUserEnvironment
-in
+option in
.Xr sshd_config 5 .
.It
Changes to user's home directory.
@@ -462,6 +462,10 @@
Environment variables set this way
override other default environment values.
Multiple options of this type are permitted.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
This option is automatically disabled if
.Cm UseLogin
is enabled.
@@ -702,6 +706,10 @@
and assignment lines of the form name=value.
The file should be writable
only by the user; it need not be readable by anyone else.
+Environment processing is disabled by default and is
+controlled via the
+.Cm PermitUserEnvironment
+option.
.It Pa $HOME/.ssh/rc
If this file exists, it is run with /bin/sh after reading the
environment files but before starting the user's shell or command.
diff --git a/sshd_config.5 b/sshd_config.5
index fcebbed..0c799bf 100644
--- a/sshd_config.5
+++ b/sshd_config.5
@@ -34,7 +34,7 @@
.\" (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
.\" THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
.\"
-.\" $OpenBSD: sshd_config.5,v 1.8 2002/08/09 17:41:12 stevesk Exp $
+.\" $OpenBSD: sshd_config.5,v 1.9 2002/08/12 17:30:35 stevesk Exp $
.Dd September 25, 1999
.Dt SSHD_CONFIG 5
.Os
@@ -468,18 +468,17 @@
.It Cm PermitUserEnvironment
Specifies whether
.Pa ~/.ssh/environment
-is read by
-.Nm sshd
-and whether
+and
.Cm environment=
options in
.Pa ~/.ssh/authorized_keys
-files are permitted.
+are processed by
+.Nm sshd .
The default is
.Dq no .
-This option is useful for locked-down installations where
-.Ev LD_PRELOAD
-and suchlike can cause security problems.
+Enabling environment processing may enable users to bypass access
+restrictions in some configurations using mechanisms such as
+.Ev LD_PRELOAD .
.It Cm PidFile
Specifies the file that contains the process ID of the
.Nm sshd