I've just discovered ~/.ssh/environment and the PermitUserEnvironment setting in OpenSSH Server. It works great for setting variables to literal strings; e.g.:
# host ~/.ssh/environment
PATH=/home/rlue/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
# client
$ ssh host 'echo $PATH'
/home/rlue/.local/bin:/usr/local/bin:/usr/bin:/bin:/usr/games
but variable expansion does not work:
# host ~/.ssh/environment
PATH=/home/rlue/.local/bin:$PATH
# client
$ ssh host 'echo $PATH'
/home/rlue/.local/bin:$PATH
I've found multiple questions that address this topic, with differing answers about whether variable expansion should work or not:
- "I figured it out, it was not expanding because I added a line
PATH="$PATH:/new/path"to my~/.ssh/environmentwhen it should have beenPATH=$PATH:/new/path" - "You have double quotes, variable expansion and an alias definition. None of that will work."
- "
~/.ssh/environmentis read before a shell orsshcommand is spawned, so (for example) neither export nor $PATH make sense." - "proof that [it] works"
The author of that last post said he confirmed he got it working with the same version of OpenSSH server that I'm running (1:7.9p1-10+deb10u2 on Debian stable), but I followed his directions to the letter and I'm still getting a literal $PATH (i.e., no variable expansion).
Does anyone have a definitive answer re: whether it's supposed to work, and if so, what my configuration is missing?
PermitUserEnvironment-- that's a very dangerous setting which allows users to bypass their login shell andForcedCommand, and may also trip other security assumptions. Users can safely and easily set environment variables in their initialization scripts, there's no need to usePermitUserEnvironmentat all, ever. – Nov 05 '20 at 05:28AcceptEnv. – Nov 05 '20 at 05:30ssh, you can do it withif [ "$SSH_CONNECTION" ]; then export PATH=$PATH:/foo/bar; fior similar. – Nov 05 '20 at 05:49