Send and Accept locale environment variables

attributes/default.rb

@@ -61,7 +61,8 @@
 default['ssh-hardening']['ssh']['client']['remote_hosts']  = []
 default['ssh-hardening']['ssh']['client']['password_authentication'] = false   # ssh
 # http://undeadly.org/cgi?action=article&sid=20160114142733
-default['ssh-hardening']['ssh']['client']['roaming']        = false
+default['ssh-hardening']['ssh']['client']['roaming']       = false
+default['ssh-hardening']['ssh']['client']['send_env']      = ['LANG', 'LC_*', 'LANGUAGE']
 
 # sshd
 default['ssh-hardening']['ssh']['server']['kex']                      = nil     # nil = calculate best combination for server version
@@ -97,6 +98,8 @@
 default['ssh-hardening']['ssh']['server']['max_sessions']             = 10
 default['ssh-hardening']['ssh']['server']['password_authentication']  = false
 default['ssh-hardening']['ssh']['server']['log_level']                = 'verbose'
+default['ssh-hardening']['ssh']['server']['accept_env']               = ['LANG', 'LC_*', 'LANGUAGE']
+
 # sshd sftp options
 default['ssh-hardening']['ssh']['server']['sftp']['enable']           = false
 default['ssh-hardening']['ssh']['server']['sftp']['group']            = 'sftponly'

spec/recipes/client_spec.rb

@@ -59,6 +59,11 @@
       with_content(/UseRoaming no/)
   end
 
+  it 'sends default locale environment variables' do
+    expect(chef_run).to render_file('/etc/ssh/ssh_config').
+      with_content('SendEnv LANG LC_* LANGUAGE')
+  end
+
   include_examples 'allow ctr ciphers'
 
   context 'weak_hmac enabled only for the client' do
@@ -160,6 +165,32 @@
     end
   end
 
+  context 'with empty send_env attribute' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['client']['send_env'] = []
+      end.converge(described_recipe)
+    end
+
+    it 'will not send any environment variables' do
+      expect(chef_run).to_not render_file('/etc/ssh/ssh_config').
+        with_content(/SendEnv/)
+    end
+  end
+
+  context 'with custom send_env attribute' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['client']['send_env'] = %w(some environment variables)
+      end.converge(described_recipe)
+    end
+
+    it 'uses the value of send_env attribute' do
+      expect(chef_run).to render_file('/etc/ssh/ssh_config').
+        with_content(/SendEnv some environment variables/)
+    end
+  end
+
   context 'chef-solo' do
     cached(:chef_run) do
       ChefSpec::SoloRunner.new.converge(described_recipe)

spec/recipes/server_spec.rb

@@ -64,6 +64,11 @@
     )
   end
 
+  it 'accepts default locale environment variables' do
+    expect(chef_run).to render_file('/etc/ssh/sshd_config').
+      with_content('AcceptEnv LANG LC_* LANGUAGE')
+  end
+
   include_examples 'does not allow weak hmacs'
   include_examples 'does not allow weak kexs'
   include_examples 'does not allow weak ciphers'
@@ -605,4 +610,30 @@
         with_content(/ListenAddress ::/)
     end
   end
+
+  context 'with empty accept_env attribute' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['server']['accept_env'] = []
+      end.converge(described_recipe)
+    end
+
+    it 'will not accept any environment variables' do
+      expect(chef_run).to_not render_file('/etc/ssh/sshd_config').
+        with_content(/AcceptEnv/)
+    end
+  end
+
+  context 'with custom accept_env attribute' do
+    cached(:chef_run) do
+      ChefSpec::ServerRunner.new do |node|
+        node.normal['ssh-hardening']['ssh']['server']['accept_env'] = %w(some environment variables)
+      end.converge(described_recipe)
+    end
+
+    it 'uses the value of accept_env attribute' do
+      expect(chef_run).to render_file('/etc/ssh/sshd_config').
+        with_content(/AcceptEnv some environment variables/)
+    end
+  end
 end

templates/default/openssh.conf.erb

@@ -112,3 +112,8 @@ Compression yes
 
 # http://undeadly.org/cgi?action=article&sid=20160114142733
 UseRoaming <%= @node['ssh-hardening']['ssh']['client']['roaming'] ? 'yes' : 'no' %>
+
+<% unless @node['ssh-hardening']['ssh']['client']['send_env'].empty? %>
+# Send locale environment variables
+SendEnv <%= @node['ssh-hardening']['ssh']['client']['send_env'].join(' ') %>
+<% end %>

templates/default/opensshd.conf.erb

@@ -193,6 +193,11 @@ UseDNS <%= ((@node['ssh-hardening']['ssh']['server']['use_dns']) ? 'yes' : 'no'
 #ChrootDirectory none
 #ChrootDirectory /home/%u
 
+<% unless @node['ssh-hardening']['ssh']['server']['accept_env'].empty? %>
+# Accept locale environment variables
+AcceptEnv <%= @node['ssh-hardening']['ssh']['server']['accept_env'].join(' ') %>
+<% end %>
+
 <% if @node['ssh-hardening']['ssh']['server']['sftp']['enable'] %>
 # Configuration, in case SFTP is used
 ## override default of no subsystems