3

I want to send some environment variables over ssh. I amended the sshd_config at the server, adding a file in /etc/ssh/sshd_config.d containing:

# NB This DOES NOT conflict with PermitUserEnvironment=No
AcceptEnv NOTIF* LANG LC_*

and restarted sshd. Running ssh -o SendEnv=NOTIF* localhost printenv the variables were not set at the remote end.

There was already an entry in /etc/ssh/sshd_config containing AcceptEnv LANG LC_*. Commenting that out + restarting had no impact on behaviour.

$ export NOTIFY_WHAT="SERVICE"
$ export NOTIFY_SHORTDATETIME="CRIT"
$ export NOTIFY_HOSTNAME="web.example.com"
$ export NOTIFY_HOSTOUTPUT="host is up"
$ export NOTIFY_HOSTSTATE="OK"
$ export NOTIFY_NOTIFICATIONTYPE="PROBLEM"
$ export NOTIFY_SERVICEDESC="cmk-test"
$ export NOTIFY_SERVICEOUTPUT="oh no its broken!"
$ export NOTIFY_SERVICESTATE="CRIT"

$ ssh -o SendEnv=NOTIF* localhost printenv
SHELL=/bin/bash
LANGUAGE=en_US.UTF-8
SSH_AUTH_SOCK=/tmp/ssh-XXXXIxNz4o/agent.8579
PWD=/home/symcbean
LOGNAME=symcbean
MOTD_SHOWN=pam
HOME=/home/symcbean
LANG=C.UTF-8
SSH_CONNECTION=127.0.0.1 35340 127.0.0.1 22
USER=symcbean
SHLVL=0
SSH_CLIENT=127.0.0.1 35340 22
LC_ALL=C
PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
_=/usr/bin/printenv

So it's not working, but oddly, a modififed LANG is sent:

$ export LANG=en_GB.UTF-8
$ ssh -o SendEnv=NOTIF* localhost printenv
SHELL=/bin/bash
LANGUAGE=en_US.UTF-8
SSH_AUTH_SOCK=/tmp/ssh-XXXXIxNz4o/agent.8579
PWD=/home/symcbean
LOGNAME=symcbean
MOTD_SHOWN=pam
HOME=/home/symcbean
LANG=en_GB.UTF-8
SSH_CONNECTION=127.0.0.1 35340 127.0.0.1 22
USER=symcbean
SHLVL=0
SSH_CLIENT=127.0.0.1 35340 22
LC_ALL=C
PATH=/usr/local/bin:/usr/bin:/bin:/usr/games
_=/usr/bin/printenv

(although I am connecting using localhost, client and server run on separate WSL containers. Client is 1:8.9p1-3ubuntu0.7, Server is openssh-server 1:9.2p1-2+deb12u3).

Just so there is no ambiguity:

$ ssh -o SendEnv=NOTIF* localhost 'find /etc/ssh -type f -exec grep -H AcceptEnv {} \;'
grep: /etc/ssh/ssh_host_ed25519_key: Permission denied
grep: /etc/ssh/ssh_host_rsa_key: Permission denied
grep: /etc/ssh/ssh_host_ecdsa_key: Permission denied
/et`c/ssh/sshd_config.d/allowcheckmk:AcceptEnv NOTIF* LANG LC_*
/etc/ssh/sshd_config:# AcceptEnv LANG LC_*

UPDATE With -vv I can see the client seems to be sending the data - it is not being accepted / is being dropped at the remote end....

debug1: Sending environment.
debug1: channel 2: setting env NOTIFY_SERVICESTATE = "CRIT"
debug2: channel 2: request env confirm 0
debug1: channel 2: setting env NOTIFY_HOSTSTATE = "OK"
debug2: channel 2: request env confirm 0
debug1: channel 2: setting env NOTIFY_WHAT = "SERVICE"
debug2: channel 2: request env confirm 0
...
Improve this question
3
  • Check your Include in sshd_config: typical is Include /etc/ssh/sshd_config.d/*.conf which won't match your extra config file... Commented Sep 26, 2024 at 16:07
  • Doh - thank you mr.spuratic If you post as an answer I will accept. Commented Sep 26, 2024 at 16:16
  • So, what was the root cause in your case? I have the same issue as you posted, but no config /etc/ssh/sshd_config.d/ seems to be fiddling with AcceptEnv Commented Dec 11, 2024 at 22:23

1 Answer 1

Reset to default
1

To pass environment variables from the client to the server you need to:

  • use SendEnv on the client side
  • use AcceptEnv on the server side

(As you note, there is a related but distinct PermitUserEnvironment directive: this adds to the environment from other sources.)

Beartraps include:

  • sshd_config config not being (fully) read, or not reloaded after changes
  • AcceptEnv (or Include) accidentally appearing after a Match directive

You can test the server is set correctly with config-test mode:

# sshd -T | grep -i acceptenv
acceptenv NOTIF*

(the configuration is parsed case insenitively)

If you add -dd to set debug level 2 you'll also see Include related details:

debug2: /etc/ssh/sshd_config line 124: new include /etc/ssh/sshd_config.d/*.conf
debug2: /etc/ssh/sshd_config line 124: including /etc/ssh/sshd_config.d/000_local.conf

and in your case, possibly:

debug2: /etc/ssh/sshd_config line 124: no match for /etc/ssh/sshd_config.d/*.conf

The -T test mode reads the current configuration files, make sure to reload the service if there were changes to the configuration.

(If you really do use Match directives for this you can test the conditions by using -C ... along with -T -- check the sshd man page for details.)

You can see the whole process by running a once-off debug level 2 sshd:

/sbin/sshd -dd -oPort=2222
# from another terminal:
ssh -oPort=2222 "-oSendEnv=NOTIF*" localhost

(this debug server process will exit when the client disconnects)

In the server output after a connection you'll see "debug2: Setting env 0: ...", and in the client output after a successful login it will show the environment changes that were made.

There is a fail safe limit on the number of allowed variables (as of openssh-9.7p1 it's a hard-coded 128).

As far as I known only the TERM variable is a special case as it's required to be sent by the protocol. To explain LANG changes, perhaps pam_env and system rc scripts will lead you to that rabbit hole...

Improve this answer

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.