topic Re: Different PATH via SSH and Telnet in Operating System - HP-UX

Different PATH via SSH and Telnet

Crystal_1 — Sun, 02 May 2004 13:17:30 GMT

Hi, I recently found that I got different PATHs when I log on via SSH and TELNET. This is what I got by running set command:

Via SSH
PATH=/usr/bin:/bin:/usr/sbin:/sbin:/opt/openssh/bin:/

Via Telnet
PATH=/usr/bin::/opt/openssh/bin:

Doesn't SSH and Telnet use the same file /etc/profile for Korn Shell?

Anyone have idea?

Thanks
Crystal

Re: Different PATH via SSH and Telnet

Bill Hassell — Sun, 02 May 2004 16:45:54 GMT

Are you using the HP package for ssh on HP-UX? ssh and telnet logins both go through /etc/profile. I would add some debug echo's into /etc/profile and .profile that include where they are (filename) and the current value of $PATH. Normally, PATH is set with:

export PATH=$(cat /etc/PATH)

ABout the only controls for profiles in ssh is the PrintMotd option which is set to yes, the /etc/motd file will be displayed by ssh in addition to /etc/profile which also displays /etc/motd.

Re: Different PATH via SSH and Telnet

Crystal_1 — Sun, 02 May 2004 18:53:45 GMT

It's confirmed that there is no .profile in my home directory.

/etc/profile controls Telnet, but still no clue which file controls SSH....

Crystal

Re: Different PATH via SSH and Telnet

Steven E. Protter — Sun, 02 May 2004 21:17:23 GMT

Bill just said:

First /etc/profile is processed

then, if it exists .profile is processed.

Secure Shell(ssh), Telnet, thats what happens.

SEP

Re: Different PATH via SSH and Telnet

Zeev Schultz — Mon, 03 May 2004 03:27:06 GMT

If you've compiled the SSH there is
also a reference to PATH in the .configure :

--with-default-path= Specify default \$PATH environment for server

So I'd check .configure compile-time options.

rgds

Zeev

Re: Different PATH via SSH and Telnet

Andrew Cowan — Mon, 03 May 2004 05:09:19 GMT

The default behaviour of OpenSSH is NOT to use the traditional 'login' process. A crude experiment would be to change the parameter "uselogin" in "/etc/ssh/sshd_config" to yes, and restart the daemon. Now try to connect, and see if your settings have changed. You should not leave SSH like this as it is a security problem, but at least you can nail it down a bit more.

Re: Different PATH via SSH and Telnet

Crystal_1 — Mon, 03 May 2004 08:28:31 GMT

Hi Andrew,

Thanks for your answer. It is the UseLogin parameter controlling the login environment. Can you elaborate on this, why changing no to yes causes a security issue?

In addition, you know where is the defult PATH set up in SSH? Can I modify it?

The problem I am currently having is that when I su to another id, I lost the PATH that I had with my login id. Looks like this switched id does not execute /etc/profile or the default SSH PATH, but the .profile if possible.

Thanks,
Crystal

Re: Different PATH via SSH and Telnet

generic_1 — Mon, 03 May 2004 21:36:35 GMT

It would not be a bad idea to add a .profile that way you can push out all the tweaks you prefer in your environment so you do not have to fight these types of things every time you log into a box. If you have your ssh keys set up this can be pretty painless :).

Re: Different PATH via SSH and Telnet

Andrew Cowan — Tue, 04 May 2004 16:30:23 GMT

Hi Crystal,

Basically activating the uselogin takes the security control away from sshd, so any security settings like protecting environment variables, is nullified.

If you do a search from Google on ssh and uselogin, you should get a lot of in-depth explanations

Re: Different PATH via SSH and Telnet

Bill Hassell — Tue, 04 May 2004 21:44:20 GMT

Once you have logged in, your interface to HP-UX is through the shell so SSH won't have any ongoing effect except as setup prior to login. As far as $PATH not being set correctly by su, this is covered in the man page for su. If you use su user_name, you will get a terribly insecure environment. To have a predictable environment, you must always use su - user_name. That - is critical flag that performs a complete login. It is common for some sysadmins to simply type su to get to root--one of the most common habits that a hacker will exploit. You may want to put a wrapper around su that chastises anyone that does not use su -.