Merge pull request dev-sec#251 from szEvEz/separate-vars

Separate PermitUserEnviroment from AcceptEnv
divialth · Oct 15, 2019 · 2184168 · 2184168
2 parents 4a3fd9a + 8bd6015
commit 2184168
Show file tree

Hide file tree

Showing 4 changed files with 10 additions and 10 deletions.
diff --git a/README.md b/README.md
@@ -65,7 +65,8 @@ Warning: This role disables root-login on the target server! Please make sure yo
 |`ssh_server_match_address` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_group` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
 |`ssh_server_match_user` | '' | Introduces a conditional block.  If all of the criteria on the Match line are satisfied, the keywords on the following lines override those set in the global section of the config file, until either another Match line or the end of the file. |
-|`ssh_server_permit_environment_vars` | `false` | `true` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd |
+|`ssh_server_permit_environment_vars` | `no` | `yes` to specify that ~/.ssh/environment and environment= options in ~/.ssh/authorized_keys are processed by sshd. With openssh version 7.8 it is possible to specify a whitelist of environment variable names in addition to global "yes" or "no" settings |
+|`ssh_server_accept_env_vars`| '' | Specifies what environment variables sent by the client will be copied into the session's enviroment, multiple environment variables may be separated by whitespace |
 |`ssh_use_dns` | `false` | Specifies whether sshd should look up the remote host name, and to check that the resolved host name for the remote IP address maps back to the very same IP address. |
 |`ssh_server_revoked_keys` | [] | a list of revoked public keys that the ssh server will always reject, useful to revoke known weak or compromised keys.|
 |`ssh_max_startups` | '10:30:100' | Specifies the maximum number of concurrent unauthenticated connections to the SSH daemon.|

diff --git a/defaults/main.yml b/defaults/main.yml
@@ -151,7 +151,8 @@ ssh_server_match_group: false           # sshd
 # list of hashes (containing addresses/subnets and rules) to generate Match Address blocks for.
 ssh_server_match_address: false           # sshd
 
-ssh_server_permit_environment_vars: false
+ssh_server_permit_environment_vars: 'no'
+ssh_server_accept_env_vars : ''
 
 # maximum number of concurrent unauthenticated connections to the SSH daemon
 ssh_max_startups: '10:30:100'           # sshd

diff --git a/templates/opensshd.conf.j2 b/templates/opensshd.conf.j2
@@ -198,13 +198,10 @@ X11UseLocalhost yes
 # User environment configuration
 # ==============================
 
-{% if ssh_server_permit_environment_vars -%}
-PermitUserEnvironment yes
-{% for item in ssh_server_permit_environment_vars -%}
-AcceptEnv {{ item }}
-{% endfor %}
-{% else -%}
-PermitUserEnvironment no
+PermitUserEnvironment {{ ssh_server_permit_environment_vars }}
+
+{% if ssh_server_accept_env_vars -%}
+AcceptEnv {{ ssh_server_accept_env_vars }}
 {% endif %}
 
 # Misc. configuration

diff --git a/tests/default_custom.yml b/tests/default_custom.yml
@@ -26,7 +26,8 @@
     ssh_allow_tcp_forwarding: true
     ssh_gateway_ports: true
     ssh_allow_agent_forwarding: true
-    ssh_server_permit_environment_vars: ['PWD', 'HTTP_PROXY']
+    ssh_server_permit_environment_vars: 'yes'
+    ssh_server_accept_env_vars: 'PWD HTTP_PROXY'
     ssh_client_alive_interval: 100
     ssh_client_alive_count: 10
     ssh_client_password_login: true