Greg Hudson wrote: > It might be reasonable to have said from the start, "if you're in the > third situation, then your hook scripts should clear their own > environments," but we can't start saying that in release 1.7. We can > detect a setuid or setgid bit, but we cannot detect a restricted shell > situation (such as when .ssh/authorized-keys contains a "command" > directive), so we can't really intuit when it's safe to propagate the > environment. >
If the .ssh/authorized_keys has a command directive, the only way the user could set environment variables in OpenSSH is if the server has a set of potentially malicious variable names in the AcceptEnv configuration variable. It accepts no variables by default and the manual warns "that some environment variables could be used to bypass restricted user environments". But like I said, I'm happy with it being configurable. Do you want a patch for that too? It's a fair bit more complicated than the one I already did so I didn't want to try it without at least in-principle approval. -- Tim Starling
