From 397594a69874ac551f3b1a8860a832374026ffe1 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sun, 13 Oct 2019 15:42:10 +0200 Subject: [PATCH 1/4] Separate PermitUserEnviroment from AcceptEnv Signed-off-by: szEvEz --- README.md | 1 + templates/opensshd.conf.j2 | 7 ++++--- 2 files changed, 5 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 80c205dbc..6b3dcc43a 100644 --- a/README.md +++ b/README.md @@ -68,6 +68,7 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd | +|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.| |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.| diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index e17673bf1..e0844f892 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -203,13 +203,14 @@ X11UseLocalhost yes {% if ssh_server_permit_environment_vars -%} PermitUserEnvironment yes -{% for item in ssh_server_permit_environment_vars -%} -AcceptEnv {{ item }} -{% endfor %} {% else -%} PermitUserEnvironment no {% endif %} +{% if ssh_server_accept_env_vars -%} +AcceptEnv {{ ssh_server_accept_env_vars }} +{% endif %} + # Misc. configuration # =================== From b7580b3e4f1727bf34b3ef3604a5f30d26a11a33 Mon Sep 17 00:00:00 2001 From: szEvEz Date: Sun, 13 Oct 2019 18:54:55 +0200 Subject: [PATCH 2/4] add missing variable to defaults Signed-off-by: szEvEz --- defaults/main.yml | 1 + 1 file changed, 1 insertion(+) diff --git a/defaults/main.yml b/defaults/main.yml index 56b226e03..44832e95a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -155,6 +155,7 @@ ssh_server_match_group: false # sshd ssh_server_match_address: false # sshd ssh_server_permit_environment_vars: false +ssh_server_accept_env_vars : '' # maximum number of concurrent unauthenticated connections to the SSH daemon ssh_max_startups: '10:30:100' # sshd From 4138adcf284888f49b5f06f181f85109ac7d02cd Mon Sep 17 00:00:00 2001 From: szEvEz Date: Mon, 14 Oct 2019 15:20:54 +0200 Subject: [PATCH 3/4] add variable for PermitUserEnvironment value, extend tests with values for ssh_server_accept_env_vars and ssh_server_permit_environment_vars Signed-off-by: szEvEz --- README.md | 2 +- defaults/main.yml | 2 +- templates/opensshd.conf.j2 | 2 +- tests/default_custom.yml | 3 ++- 4 files changed, 5 insertions(+), 4 deletions(-) diff --git a/README.md b/README.md index 6b3dcc43a..6caf9b18e 100644 --- a/README.md +++ b/README.md @@ -67,7 +67,7 @@ Warning: This role disables root-login on the target server! Please make sure yo |`ssh_server_match_address` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_group` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | |`ssh_server_match_user` | '' | Introduces a conditional block. If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. | -|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd | +|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings | |`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace | |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. | |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.| diff --git a/defaults/main.yml b/defaults/main.yml index 44832e95a..b5d8c9a7a 100644 --- a/defaults/main.yml +++ b/defaults/main.yml @@ -154,7 +154,7 @@ ssh_server_match_group: false # sshd # list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for. ssh_server_match_address: false # sshd -ssh_server_permit_environment_vars: false +ssh_server_permit_environment_vars: 'no' ssh_server_accept_env_vars : '' # maximum number of concurrent unauthenticated connections to the SSH daemon diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index e0844f892..f2214517b 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -202,7 +202,7 @@ X11UseLocalhost yes # ============================== {% if ssh_server_permit_environment_vars -%} -PermitUserEnvironment yes +PermitUserEnvironment {{ ssh_server_permit_environment_vars }} {% else -%} PermitUserEnvironment no {% endif %} diff --git a/tests/default_custom.yml b/tests/default_custom.yml index 39a53260b..600494c19 100644 --- a/tests/default_custom.yml +++ b/tests/default_custom.yml @@ -26,7 +26,8 @@ ssh_allow_tcp_forwarding: true ssh_gateway_ports: true ssh_allow_agent_forwarding: true - ssh_server_permit_environment_vars: ['PWD', 'HTTP_PROXY'] + ssh_server_permit_environment_vars: 'yes' + ssh_server_accept_env_vars: 'PWD HTTP_PROXY' ssh_client_alive_interval: 100 ssh_client_alive_count: 10 ssh_client_password_login: true From bb4feda34e00e966bc3552fd0e32eb6d95e78021 Mon Sep 17 00:00:00 2001 From: Sebastian Gumprich Date: Tue, 15 Oct 2019 18:21:00 +0200 Subject: [PATCH 4/4] Update opensshd.conf.j2 --- templates/opensshd.conf.j2 | 4 ---- 1 file changed, 4 deletions(-) diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2 index f2214517b..2347efbfe 100644 --- a/templates/opensshd.conf.j2 +++ b/templates/opensshd.conf.j2 @@ -201,11 +201,7 @@ X11UseLocalhost yes # User environment configuration # ============================== -{% if ssh_server_permit_environment_vars -%} PermitUserEnvironment {{ ssh_server_permit_environment_vars }} -{% else -%} -PermitUserEnvironment no -{% endif %} {% if ssh_server_accept_env_vars -%} AcceptEnv {{ ssh_server_accept_env_vars }}