OpenSSH environment passing - SSH

This is a discussion on OpenSSH environment passing - SSH ; I am using OpenSSH_4.0p1, OpenSSL 0.9.7c 30 Sep 2003 on a Solaris machine. I have seen the use of the environment="LOGNAME=mylogon" in the authorized_keys file and have implemented this. But... I log in and authenticate fine against this key but ...

+ Reply to Thread
Results 1 to 5 of 5

Thread: OpenSSH environment passing

  1. OpenSSH environment passing

    I am using OpenSSH_4.0p1, OpenSSL 0.9.7c 30 Sep 2003 on a Solaris
    machine.
    I have seen the use of the environment="LOGNAME=mylogon" in the
    authorized_keys file and have implemented this.
    But...
    I log in and authenticate fine against this key but cannot see where
    LOGNAME has been changed. In debug mode (server and client) shows
    LOGNAME as the original and not the overridden value. Not sure if I am
    understanding the process correctly?
    Any help appreciated.


  2. Re: OpenSSH environment passing

    >>>>> "SLE" == simon l evans writes:

    SLE> I am using OpenSSH_4.0p1, OpenSSL 0.9.7c 30 Sep 2003 on a Solaris
    SLE> machine. I have seen the use of the
    SLE> environment="LOGNAME=mylogon" in the authorized_keys file and
    SLE> have implemented this. But... I log in and authenticate fine
    SLE> against this key but cannot see where LOGNAME has been
    SLE> changed. In debug mode (server and client) shows LOGNAME as the
    SLE> original and not the overridden value. Not sure if I am
    SLE> understanding the process correctly? Any help appreciated.

    Perhaps:

    $ man sshd_config
    ....
    PermitUserEnvironment
    Specifies whether ~/.ssh/environment and environment= options in
    ~/.ssh/authorized_keys are processed by sshd. The default is
    ``no''. Enabling environment processing may enable users to
    bypass access restrictions in some configurations using mecha-
    nisms such as LD_PRELOAD.
    ....

    --
    Richard Silverman
    res@qoxp.net


  3. Re: OpenSSH environment passing

    Yeah, I read the man page strangely enough. The problem was in the
    order of the values in the authorized_keys file...

    Did have:
    from, ssh-rsa , environment, comment
    also tried
    from, environment, ssh-rsa , comment

    then
    environment, ssh-rsa , from, comment
    and this last one worked. Hmmmm. Didn't see that in any docs.



    Richard E. Silverman wrote:
    > >>>>> "SLE" == simon l evans writes:

    >
    > SLE> I am using OpenSSH_4.0p1, OpenSSL 0.9.7c 30 Sep 2003 on a Solaris
    > SLE> machine. I have seen the use of the
    > SLE> environment="LOGNAME=mylogon" in the authorized_keys file and
    > SLE> have implemented this. But... I log in and authenticate fine
    > SLE> against this key but cannot see where LOGNAME has been
    > SLE> changed. In debug mode (server and client) shows LOGNAME as the
    > SLE> original and not the overridden value. Not sure if I am
    > SLE> understanding the process correctly? Any help appreciated.
    >
    > Perhaps:
    >
    > $ man sshd_config
    > ...
    > PermitUserEnvironment
    > Specifies whether ~/.ssh/environment and environment= options in
    > ~/.ssh/authorized_keys are processed by sshd. The default is
    > ``no''. Enabling environment processing may enable users to
    > bypass access restrictions in some configurations using mecha-
    > nisms such as LD_PRELOAD.
    > ...
    >
    > --
    > Richard Silverman
    > res@qoxp.net



  4. Re: OpenSSH environment passing

    On 2005-11-24, simon_l_evans@yahoo.co.uk wrote:
    > Yeah, I read the man page strangely enough. The problem was in the
    > order of the values in the authorized_keys file...
    >
    > Did have:
    > from, ssh-rsa , environment, comment
    > also tried
    > from, environment, ssh-rsa , comment


    There should be no space between the from and the environment. I suspect
    this one didn't let you authenticate at all.

    > then
    > environment, ssh-rsa , from, comment
    > and this last one worked.


    But the "from" restrictions won't since it's now part of the comment.
    That ought to be:
    environment="[foo]",from="[bar]" ssh-rsa comment

    > Hmmmm. Didn't see that in any docs.


    It's cleverly hidden in sshd(8) under "AUTHORIZED_KEYS FILE FORMAT"
    [...]
    Each line of the file contains one key (empty lines and lines starting
    with a '#' are ignored as comments). Each RSA public key consists of
    the following fields, separated by spaces: options, bits, exponent, mod-
    ulus, comment. Each protocol version 2 public key consists of: options,
    keytype, base64 encoded key, comment. The options field is optional;
    [...]

    There's some examples too...

    --
    Darren Tucker (dtucker at zip.com.au)
    GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    Good judgement comes with experience. Unfortunately, the experience
    usually comes from bad judgement.

  5. Re: OpenSSH environment passing

    Nice one. Thanks for the pointers. Got it all working now.


    Darren Tucker wrote:
    > On 2005-11-24, simon_l_evans@yahoo.co.uk wrote:
    > > Yeah, I read the man page strangely enough. The problem was in the
    > > order of the values in the authorized_keys file...
    > >
    > > Did have:
    > > from, ssh-rsa , environment, comment
    > > also tried
    > > from, environment, ssh-rsa , comment

    >
    > There should be no space between the from and the environment. I suspect
    > this one didn't let you authenticate at all.
    >
    > > then
    > > environment, ssh-rsa , from, comment
    > > and this last one worked.

    >
    > But the "from" restrictions won't since it's now part of the comment.
    > That ought to be:
    > environment="[foo]",from="[bar]" ssh-rsa comment
    >
    > > Hmmmm. Didn't see that in any docs.

    >
    > It's cleverly hidden in sshd(8) under "AUTHORIZED_KEYS FILE FORMAT"
    > [...]
    > Each line of the file contains one key (empty lines and lines starting
    > with a '#' are ignored as comments). Each RSA public key consists of
    > the following fields, separated by spaces: options, bits, exponent, mod-
    > ulus, comment. Each protocol version 2 public key consists of: options,
    > keytype, base64 encoded key, comment. The options field is optional;
    > [...]
    >
    > There's some examples too...
    >
    > --
    > Darren Tucker (dtucker at zip.com.au)
    > GPG key 8FF4FA69 / D9A3 86E9 7EEE AF4B B2D4 37C9 C982 80C7 8FF4 FA69
    > Good judgement comes with experience. Unfortunately, the experience
    > usually comes from bad judgement.



+ Reply to Thread