I've just discovered ~/.ssh/environment and the PermitUserEnvironment setting in OpenSSH Server. It works great for setting variables to literal strings; e.g.:
# host ~/.ssh/environment
PATH=/home/rlue/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
# client
$ ssh host 'echo $PATH'
/home/rlue/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
but variable expansion does not work:
# host ~/.ssh/environment
PATH=/home/rlue/.local/bin:$PATH
# client
$ ssh host 'echo $PATH'
/home/rlue/.local/bin:$PATH
I've found multiple questions that address this topic, with differing answers about whether variable expansion should work or not:
- "I figured it out, it was not expanding because I added a line
PATH="$PATH:/new/path"to my~/.ssh/environmentwhen it should have beenPATH=$PATH:/new/path" - "You have double quotes, variable expansion and an alias definition. None of that will work."
- "
~/.ssh/environmentis read before a shell orsshcommand is spawned, so (for example) neither export nor $PATH make sense." - "proof that [it] works"
The author of that last post said he confirmed he got it working with the same version of OpenSSH server that I'm running (1:7.9p1-10+deb10u2 on Debian stable), but I followed his directions to the letter and I'm still getting a literal $PATH (i.e., no variable expansion).
Does anyone have a definitive answer re: whether it's supposed to work, and if so, what my configuration is missing?
1 Answer 1
Checking the source code, the relevant functions are read_environment_file() in session.c and child_set_env() in misc.c. These are simple functions - just read lines of the form var=value and set them, checking for limits and validity, but without doing any additional processing of the values. That's also what the manpage says:
Additionally, ssh reads
~/.ssh/environment, and adds lines of the format "VARNAME=value" to the environment if the file exists and users are allowed to change their environment.
So, no, it's not supposed to, going by documentation or by code.
You must log in to answer this question.
Explore related questions
See similar questions with these tags.
PermitUserEnvironment-- that's a very dangerous setting which allows users to bypass their login shell andForcedCommand, and may also trip other security assumptions. Users can safely and easily set environment variables in their initialization scripts, there's no need to usePermitUserEnvironmentat all, ever.AcceptEnv.ssh, you can do it withif [ "$SSH_CONNECTION" ]; then export PATH=$PATH:/foo/bar; fior similar.