Displaying 2 results from an estimated 2 matches for "pamsessionacceptenv".
2024 Dec 20
1
PAM session setup and environment variables
...sky given that some PAM session modules like pam_namespace and
> > pam_exec invoke external executables and could be affected by e.g. LD_*
> > variables.
> >
> > If we're aiming for flexibility without sacrificing security, then a new
> > sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify
> > what is allowed to be forwarded to the PAM session modules.
>
> Thanks for chiming in. How about we accept variables from a narrow allow-
> list (XDG_SESSION_CLASS/TYPE, LC_*) for now and see how it goes?
Sounds good. Since nobody asked to forward LC...
2024 Dec 19
1
PAM session setup and environment variables
...cceptEnv
> could be risky given that some PAM session modules like pam_namespace and
> pam_exec invoke external executables and could be affected by e.g. LD_*
> variables.
>
> If we're aiming for flexibility without sacrificing security, then a new
> sshd_config keyword (e.g. PAMSessionAcceptEnv) could be added to specify
> what is allowed to be forwarded to the PAM session modules.
Thanks for chiming in. How about we accept variables from a narrow allow-
list (XDG_SESSION_CLASS/TYPE, LC_*) for now and see how it goes?
-d