AcceptEnv * Insecurity – Why It’s Considered Unsafe

environment-variableslinuxSecurityssh

In /etc/ssh/sshd_config, there is an option called AcceptEnv that allows the ssh client to send environment variables. I need to be able to send a large number of environment variables. These change on every connection from the client, so putting them in a login script on the server would be more difficult.

I've read that "AcceptEnv *" is insecure. I'd like to understand why before I try to get a list of all of the environment variables that are attempted to be set to put there.

Why is it considered insecure? Can I get an example?

Best Answer

Enabling environment processing may enable users to bypass access restrictions in some configurations using mechanisms such as LD_PRELOAD.

Not all version of the man pages for sshd_config mention this. If your environment variables are changed beforehand and certain privileged processes are executed with new libraries specified by this, issues can result.

Take a look at http://www.dankalia.com/tutor/01005/0100501004.htm and search for "LD_PRELOAD Exploit". Sorry, the page has no anchor links.

See also StackOverflow question: What is the LD_PRELOAD trick?

Setting environment variables after connection is fine, but when those variable are interpreted by the ssh daemon as set by AcceptEnv, Bad Things may occur.

Best Answer

Related Solutions

How to Reconnect to a Disconnected SSH Session

Ubuntu – Environment variables over non-interactive SSH connection

Related Topic