15

In /etc/ssh/sshd_config, there is an option called AcceptEnv that allows the ssh client to send environment variables. I need to be able to send a large number of environment variables. These change on every connection from the client, so putting them in a login script on the server would be more difficult.

I've read that "AcceptEnv *" is insecure. I'd like to understand why before I try to get a list of all of the environment variables that are attempted to be set to put there.

Why is it considered insecure? Can I get an example?

TheDauthi
  • 153
  • 1
  • 1
  • 6

2 Answers2

17

Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.

Not all version of the man pages for sshd_config mention this. If your environment variables are changed beforehand and certain privileged processes are executed with new libraries specified by this, issues can result.

Take a look at http://www.dankalia.com/tutor/01005/0100501004.htm and search for "LD_PRELOAD Exploit". Sorry, the page has no anchor links.

See also StackOverflow question: What is the LD_PRELOAD trick?

Setting environment variables after connection is fine, but when those variable are interpreted by the ssh daemon as set by AcceptEnv, Bad Things may occur.

pevik
  • 302
Jeff Ferland
  • 20,987
-1

Do not accept environment variables:

See the Shellshock exploit that came out recently.. if you accept environment variables then you are opening up a really nasty exploit.

Charles Duffy
  • 1,081
  • 2
  • 11
  • 21
John Hunt
  • 419