current community

your communities

more stack exchange communities

company blog
Stack Exchange Inbox Reputation and Badges
tour help
Unix & Linux Stack Exchange is a question and answer site for users of Linux, FreeBSD and other Un*x-like operating systems. Join them; it only takes a minute:

Sign up
Here's how it works:
  1. Anybody can ask a question
  2. Anybody can answer
  3. The best answers are voted up and rise to the top
up vote 0 down vote favorite

I've got the following problem: I try to push/set a EnvVariable via

ssh -o SendEnv=APITOKEN host

on the remote host is the following setup:

this line in /etc/ssh/sshd_config:

AcceptEnv LANG LC_* XMODIFIERS APITOKEN

in the authorized_keys we got the following:

command="bin/login XXX"

The Script login looks like:

#!/usr/bin/env bash
## Auto-Root Wrapper script

if [ -n "$1" ]; then
  export REMOTE_USER=$1
fi
if [ -n "${SSH_ORIGINAL_COMMAND}" ]; then
  # if there is an ssh command set, we check for known
  # workarounds and then execute the command
  case "${SSH_ORIGINAL_COMMAND}" in
  scp\ *|rsync\ --server*|*/sftp-server)
  logger -p auth.info -t $(basename $0) "user: $REMOTE_USER     filetransfer: ${SSH_ORIGINAL_COMMAND}"
  exec sudo /bin/sh -c "cd /root/;exec ${SSH_ORIGINAL_COMMAND}"
  ;;

  *)
      logger -p auth.info -t $(basename $0) "user: $REMOTE_USER shell    command: ${SSH_ORIGINAL_COMMAND}"
      sudo bash -s <<<${SSH_ORIGINAL_COMMAND}
      ;;

  esac
else
  # if there is no command, we will just return a login shell
  logger -p auth.info -t $(basename $0) "user: $REMOTE_USER starting     interactive shell"
  if [ -e /etc/motd ]; then
    cat /etc/motd
  fi
  sudo -i bash
fi

When i got my shell, i test if $APITOKEN is set, but it's empty. I don't know why. ssh -vvv give following: 

debug1: Sending env APITOKEN = test
debug2: channel 0: request env confirm 0
debug3: send packet: type 98

Someone know a hint?

share|improve this question
    
sudo strips env vars except for a white list. Call it as sudo "APITOKEN=$APITOKEN" .... See also the -H option to avoid the cd /root. Now, what if the user does ssh host 'scp ;reboot' or worse (including scp somefile /etc/shadow)? – Stéphane Chazelas Nov 21 '16 at 11:22
    
I mean, i want to have the env var set for my session. So i connect, do changes and then i can use my $APITOKEN to push changes to an API we use. But every user got his own api token and we work as root on systems, and we also dont want to note the tokens in a textfile on the system, so my idea with setting it as an env var for the session doesnt seem that stupid or? – TheBadBossy Nov 21 '16 at 11:27
    
Again, the problem is that sudo wipes the environment clean. Best here would be to do without sudo. Just login as root in the first place. – Stéphane Chazelas Nov 21 '16 at 11:32
    
that's the key, we don't want to login as root from the beginning. We connect as user "bla", then with the script above we become root. We login with bla because we want to see when each member of the company connects to the system without searching in logfiles. is there maybe a workaround or do you got another idea? – TheBadBossy Nov 21 '16 at 11:37
    
Could this also have something to do with PermitUserEnvironment no in the remote sshd's /etc/ssh/sshd_config? – Christopher Nov 21 '16 at 14:56

Your Answer

 
discard

By posting your answer, you agree to the privacy policy and terms of service.

Browse other questions tagged or ask your own question.