openssh bugs - Feb 2006 - [Bug 1158] Setting the environment in authorized_keys does not work

http://bugzilla.mindrot.org/show_bug.cgi?id=1158

           Summary: Setting the environment in authorized_keys does not work
           Product: Portable OpenSSH
           Version: 3.9p1
          Platform: ix86
        OS/Version: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: sshd
        AssignedTo: bitbucket at mindrot.org
        ReportedBy: michael.henry at axegroup.com.au


I'm using CentOS 4.2 with all the latest patches. As per the O'Reilly
book
"SSH, The Secure Shell: The Definitive Guide"
(http://www.unix.org.ua/orelly/networking_2ndEd/ssh/ch08_02.htm#ch08-65720.html)
I have prepended this string to my key in authorized_keys:

environment="LOGNAME=mhenry" ssh-dss AAAAB3Nz.....

The manpage also suggests that this syntax is supported. However, logging into
this account using my key I see that the environment is not set:

Using username "cvsstore".
Authenticating with public key "dsa-key-20051105" from agent
Last login: Wed Feb 15 18:19:15 2006 from amitabha.axegroup.local
[cvsstore at axefs1 ~]$ env | grep LOGNAME
LOGNAME=cvsstore

Also: using multiple "environment" entries results in the ssh
connection
attempt being rejected.

Thanks,

    Michael




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1158





------- Comment #1 from dtucker at zip.com.au  2006-02-15 19:33 -------
(In reply to comment #0)
> I have prepended this string to my key in authorized_keys:
> environment="LOGNAME=mhenry" ssh-dss AAAAB3Nz.....
> 
> The manpage also suggests that this syntax is supported. However, logging
into
> this account using my key I see that the environment is not set:
Have you enabled PermitUserEnvironment in sshd_config?  It defaults to
"no",
and be aware that it may permit users to monkey around with things like
LD_PRELOAD.
> [cvsstore at axefs1 ~]$ env | grep LOGNAME
> LOGNAME=cvsstore
Do any of the shell startup scripts set LOGNAME?  My /etc/profile does but
I'm
not sure if it's stock or a local addition.
> Also: using multiple "environment" entries results in the ssh
connection
> attempt being rejected.
Now that might be a bug, I'll take a look at it.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1158





------- Comment #2 from dtucker at zip.com.au  2006-02-15 19:41 -------
(In reply to comment #1)
> > Also: using multiple "environment" entries results in the
ssh connection
> > attempt being rejected.
> 
> Now that might be a bug, I'll take a look at it.
This works for me as long as PermitUserEnvironment is enabled:
environment="FOO=bar",environment="BAR=baz" ssh-rsa
AAAAB3N[...]




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.mindrot.org/show_bug.cgi?id=1158


michael.henry at axegroup.com.au changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Comment #3 from michael.henry at axegroup.com.au  2006-02-16 09:08
-------

Thanks for the prompt reply Darren!

I do have: PermitUserEnvironment yes

You make a very good point about login scripts setting the LOGNAME variable.
Let me just check...

Ha! /etc/profile has: LOGNAME=$USER

Now for the final point - multiple "environment" entries. I see you
have a
comma-separated list. As per the man-page I was using spaces to separate my
entries: "Each RSA public key consists of the following fields, separated
by
spaces: options, bits, exponent, modulus, comment."

So I had:

environment="LOGNAME=mhenry" environment="CVSUSER=mhenry"
ssh-dss AAAAB3N....

Let me just change that space to a comma... WooHoo! That's done it!

Thanks for your help!




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.