openssh bugs - May 2022 - [Bug 3434] New: provide a way to disable any set SetEnv and SendEnv

https://bugzilla.mindrot.org/show_bug.cgi?id=3434

            Bug ID: 3434
           Summary: provide a way to disable any set SetEnv and SendEnv
           Product: Portable OpenSSH
           Version: v9.0p1
          Hardware: Other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: calestyo at scientia.org

It would be nice to have counterparts of ClearAllForwardings for SetEnv
and SendEnv (probably independently for each).


Consider a user uses those in his ssh_config, maybe to even forward
sensitive data (whether that's smart is of course another topic).

Now there may be programs that internally use a ssh connection for
something, and which know already for sure that no Send/SetEnvs will be
needed and they'd wish for a way to disable these.

One might think at first that it works to simply do:
-o SendEnv=-*
but while that would remove a previously set (on the command line)
-o SendEnv=foo
it doesn't affect anything from ssh_config, as this is parsed later
(which I think would be nice to have explicitly documented, again, I
could provide a patch if it helps).

A workaround for that is to use env and call e.g. env -i ssh ...

Perhaps it would be nice to have something like -o SendEnv=!PATTERN
which removes PATTERN permanently (i.e. cannot be re-added later).

But there doesn't seem to be a way to generally (and permanently)
remove any SetEnv set env vars.



Thanks,
Chris.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.