HPE GreenLake Administration
- Community Home
- >
- Servers and Operating Systems
- >
- Operating Systems
- >
- Operating System - HP-UX
- >
- SSH environment tag option in public keys files
Operating System - HP-UX
1832308
Members
2483
Online
110041
Solutions
Forums
Categories
Company
Local Language
back
Forums
Discussions
Forums
- Data Protection and Retention
- Entry Storage Systems
- Legacy
- Midrange and Enterprise Storage
- Storage Networking
- HPE Nimble Storage
Discussions
Forums
Discussions
Discussions
Discussions
Forums
Discussions
back
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
- BladeSystem Infrastructure and Application Solutions
- Appliance Servers
- Alpha Servers
- BackOffice Products
- Internet Products
- HPE 9000 and HPE e3000 Servers
- Networking
- Netservers
- Secure OS Software for Linux
- Server Management (Insight Manager 7)
- Windows Server 2003
- Operating System - Tru64 Unix
- ProLiant Deployment and Provisioning
- Linux-Based Community / Regional
- Microsoft System Center Integration
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Discussion Boards
Blogs
Information
Community
Resources
Community Language
Language
Forums
Blogs
Topic Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Printer Friendly Page
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
12-13-2004 12:45 AM
12-13-2004 12:45 AM
SSH environment tag option in public keys files
Hello,
I'm a bit upset with how the sshd treats environment options in authorized_keys files.
According to what I read in the sshd and sshd_config manpages options are (surprise, surprise) only optional and would be neglected by the sshd if they didn't apply.
Because we Unix sysadmins all login from a central login server via SSH before we su to root on the respective host there was for me the requirement to carry along with my public keys a special environment variable that should give me the possibility to set up an individual environment that suits my needs on the target hosts.
However, since this does not apply to all hosts I need to access, I'd simply wish that the environment tag should be neglected by sshds on hosts where this is so.
Of course could I create individual public keys and distribute them to my needs.
The catch is that our site runs a scheduled general key distribution scheme so that every indivudual distribution would sooner or later be invalidated/overwritten by the process.
On the HP-UX hosts we use the HP-UX port of OpenSSH that HP boldly coined "HP-UX Secure Shell"
(however there are a few hosts where a custom built sshd from OpenSSH sources services)
# swlist|grep -i secure\ shell
T1471AA A.03.61.002 HP-UX Secure Shell
This depot installed this SSH version
# /opt/ssh/sbin/sshd -v
sshd: illegal option -- v
sshd version OpenSSH_3.6.1p2
Usage: sshd [options]
Options:
-f file Configuration file (default /opt/ssh/etc/sshd_config)
-d Debugging mode (multiple -d means more debugging)
-i Started from inetd
-D Do not fork into daemon mode
-t Only test configuration file and keys
-q Quiet (no logging)
-p port Listen on the specified port (default: 22)
-k seconds Regenerate server key every this many seconds (default: 3600)
-g seconds Grace period for authentication (default: 600)
-b bits Size of server RSA key (default: 768 bits)
-h file File from which to read host key (default: /opt/ssh/etc/ssh_host_key)
-u len Maximum hostname length for utmp recording
-4 Use IPv4 only
-6 Use IPv6 only
-o option Process the option as if it was read from a configuration file.
From "man sshd" I read, as for the environment tag
environment="NAME=value"
Specifies that the string is to be added to the environment when
logging in using this key. Environment variables set this way
override other default environment values. Multiple options of
this type are permitted. Environment processing is disabled by
default and is controlled via the PermitUserEnvironment option.
This option is automatically disabled if UseLogin is enabled.
When I login to one host from our login server I get "Bad option" errors.
$ ssh -v yokel@darling 2>&1|grep Bad
debug1: Remote: Bad options in /home/yokel/.ssh/authorized_keys file, line 8: environment="DAISY_USER=grothe" ssh-rsa AAAAB3NzaC
debug1: Remote: Bad options in /home/yokel/.ssh/authorized_keys file, line 9: environment="DAISY_USER=grothe" ssh-dss AAAAB3NzaC
Hm, when I configure darling's sshd to permit users' environment settings it works.
PermitUserEnvironment
Specifies whether ~/.ssh/environment and environment= options in
~/.ssh/authorized_keys are processed by sshd. The default is
``no''. Enabling environment processing may enable users to
bypass access restrictions in some configurations using
mechanisms such as LD_PRELOAD.
# grep ^PermitUser /opt/ssh/etc/sshd_config
PermitUserEnvironment yes
# kill -1 $(cat /var/run/sshd.pid)
$ ssh yokel@darling hostname
darling
But this isn't quite what I want,
because it's a little degradation of security to allow every user to set up an environment on every host (see the remark in the sshd manpage excerpt above).
That's why I want the environment tag generally be neglected by most hosts' sshds but a few.
Does anyone know a configuration hack that I miss?
Or is this connected with the special HP depot's SSH?
Regards
Ralph
I'm a bit upset with how the sshd treats environment options in authorized_keys files.
According to what I read in the sshd and sshd_config manpages options are (surprise, surprise) only optional and would be neglected by the sshd if they didn't apply.
Because we Unix sysadmins all login from a central login server via SSH before we su to root on the respective host there was for me the requirement to carry along with my public keys a special environment variable that should give me the possibility to set up an individual environment that suits my needs on the target hosts.
However, since this does not apply to all hosts I need to access, I'd simply wish that the environment tag should be neglected by sshds on hosts where this is so.
Of course could I create individual public keys and distribute them to my needs.
The catch is that our site runs a scheduled general key distribution scheme so that every indivudual distribution would sooner or later be invalidated/overwritten by the process.
On the HP-UX hosts we use the HP-UX port of OpenSSH that HP boldly coined "HP-UX Secure Shell"
(however there are a few hosts where a custom built sshd from OpenSSH sources services)
# swlist|grep -i secure\ shell
T1471AA A.03.61.002 HP-UX Secure Shell
This depot installed this SSH version
# /opt/ssh/sbin/sshd -v
sshd: illegal option -- v
sshd version OpenSSH_3.6.1p2
Usage: sshd [options]
Options:
-f file Configuration file (default /opt/ssh/etc/sshd_config)
-d Debugging mode (multiple -d means more debugging)
-i Started from inetd
-D Do not fork into daemon mode
-t Only test configuration file and keys
-q Quiet (no logging)
-p port Listen on the specified port (default: 22)
-k seconds Regenerate server key every this many seconds (default: 3600)
-g seconds Grace period for authentication (default: 600)
-b bits Size of server RSA key (default: 768 bits)
-h file File from which to read host key (default: /opt/ssh/etc/ssh_host_key)
-u len Maximum hostname length for utmp recording
-4 Use IPv4 only
-6 Use IPv6 only
-o option Process the option as if it was read from a configuration file.
From "man sshd" I read, as for the environment tag
environment="NAME=value"
Specifies that the string is to be added to the environment when
logging in using this key. Environment variables set this way
override other default environment values. Multiple options of
this type are permitted. Environment processing is disabled by
default and is controlled via the PermitUserEnvironment option.
This option is automatically disabled if UseLogin is enabled.
When I login to one host from our login server I get "Bad option" errors.
$ ssh -v yokel@darling 2>&1|grep Bad
debug1: Remote: Bad options in /home/yokel/.ssh/authorized_keys file, line 8: environment="DAISY_USER=grothe" ssh-rsa AAAAB3NzaC
debug1: Remote: Bad options in /home/yokel/.ssh/authorized_keys file, line 9: environment="DAISY_USER=grothe" ssh-dss AAAAB3NzaC
Hm, when I configure darling's sshd to permit users' environment settings it works.
PermitUserEnvironment
Specifies whether ~/.ssh/environment and environment= options in
~/.ssh/authorized_keys are processed by sshd. The default is
``no''. Enabling environment processing may enable users to
bypass access restrictions in some configurations using
mechanisms such as LD_PRELOAD.
# grep ^PermitUser /opt/ssh/etc/sshd_config
PermitUserEnvironment yes
# kill -1 $(cat /var/run/sshd.pid)
$ ssh yokel@darling hostname
darling
But this isn't quite what I want,
because it's a little degradation of security to allow every user to set up an environment on every host (see the remark in the sshd manpage excerpt above).
That's why I want the environment tag generally be neglected by most hosts' sshds but a few.
Does anyone know a configuration hack that I miss?
Or is this connected with the special HP depot's SSH?
Regards
Ralph
Madness, thy name is system administration
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.
Company
Events and news
Customer resources
© Copyright 2025 Hewlett Packard Enterprise Development LP