Bug 1158

Summary: Setting the environment in authorized_keys does not work
Product: Portable OpenSSH Reporter: Michael Henry <michael.henry>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: normal    
Priority: P2    
Version: 3.9p1   
Hardware: ix86   
OS: Linux   

Description Michael Henry 2006-02-15 18:37:31 AEDT 
I'm using CentOS 4.2 with all the latest patches. As per the O'Reilly book "SSH, The Secure Shell: The Definitive Guide" (http://www.unix.org.ua/orelly/networking_2ndEd/ssh/ch08_02.htm#ch08-65720.html) I have prepended this string to my key in authorized_keys:

environment="LOGNAME=mhenry" ssh-dss AAAAB3Nz.....

The manpage also suggests that this syntax is supported. However, logging into this account using my key I see that the environment is not set:

Using username "cvsstore".
Authenticating with public key "dsa-key-20051105" from agent
Last login: Wed Feb 15 18:19:15 2006 from amitabha.axegroup.local
[cvsstore@axefs1 ~]$ env | grep LOGNAME
LOGNAME=cvsstore

Also: using multiple "environment" entries results in the ssh connection attempt being rejected.

Thanks,

    Michael
Comment 1 Darren Tucker 2006-02-15 19:33:53 AEDT 
(In reply to comment #0)
> I have prepended this string to my key in authorized_keys:
> environment="LOGNAME=mhenry" ssh-dss AAAAB3Nz.....
> 
> The manpage also suggests that this syntax is supported. However, logging into
> this account using my key I see that the environment is not set:

Have you enabled PermitUserEnvironment in sshd_config?  It defaults to "no", and be aware that it may permit users to monkey around with things like LD_PRELOAD.

> [cvsstore@axefs1 ~]$ env | grep LOGNAME
> LOGNAME=cvsstore

Do any of the shell startup scripts set LOGNAME?  My /etc/profile does but I'm not sure if it's stock or a local addition.

> Also: using multiple "environment" entries results in the ssh connection
> attempt being rejected.

Now that might be a bug, I'll take a look at it.
Comment 2 Darren Tucker 2006-02-15 19:41:04 AEDT 
(In reply to comment #1)
> > Also: using multiple "environment" entries results in the ssh connection
> > attempt being rejected.
> 
> Now that might be a bug, I'll take a look at it.

This works for me as long as PermitUserEnvironment is enabled:
environment="FOO=bar",environment="BAR=baz" ssh-rsa AAAAB3N[...]
Comment 3 Michael Henry 2006-02-16 09:08:15 AEDT 
Thanks for the prompt reply Darren!

I do have: PermitUserEnvironment yes

You make a very good point about login scripts setting the LOGNAME variable. Let me just check...

Ha! /etc/profile has: LOGNAME=$USER

Now for the final point - multiple "environment" entries. I see you have a comma-separated list. As per the man-page I was using spaces to separate my entries: "Each RSA public key consists of the following fields, separated by spaces: options, bits, exponent, modulus, comment."

So I had:

environment="LOGNAME=mhenry" environment="CVSUSER=mhenry" ssh-dss AAAAB3N....

Let me just change that space to a comma... WooHoo! That's done it!

Thanks for your help!
Comment 4 Darren Tucker 2006-10-07 11:44:30 AEST 
Change all RESOLVED bug to CLOSED with the exception of the ones fixed post-4.4.