Tumbleweed: prevent SSH client from sending environment variables
Hi, Up until a few weeks ago, I ran OpenSUSE Leap as my daily driver. I only recently moved to Tumbleweed, which seems to get more attention by the OpenSUSE developers. One of the things I did on my Leap system was reconfigure the SSH client in order to *not* send any environment variables. To do this, I opened /etc/ssh/ssh_config and found the relevant stanza: SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL I simply commented this out and reloaded SSH: # systemctl reload sshd I tried to do this with Tumbleweed, but I don't have an /etc/ssh/ssh_config file. Instead, I only have an empty /etc/ssh/ssh_config.d directory. So I guess my SSH client has all default values defined at build time. What would be an orthodox approach to prevent it from sending any environment variables ? Thanks & cheers from Austria, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Am Mittwoch, 17. August 2022, 08:56:10 CEST schrieb Nicolas Kovacs:
To do this, I opened /etc/ssh/ssh_config and found the relevant stanza:
I simply commented this out and reloaded SSH:
# systemctl reload sshd
I tried to do this with Tumbleweed, but I don't have an /etc/ssh/ssh_config file. Instead, I only have an empty /etc/ssh/ssh_config.d directory. So I guess my SSH client has all default values defined at build time.
Hi, Tumbleweed is subject to what was termed "usrmerge". Basically, there are no more DEFAULTS in /etc - all the default configurations are now in /usr/etc. But when you make modifications they still go into /etc. There is more to it than just that but for your purpose that should be sufficient, anyway you still make your modifications in the same place, you just find the defaults in /usr/etc now. Hope that helps Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org OBS: lemmy04 Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on liberachat and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
Le 17/08/2022 à 09:11, Mathias Homann a écrit :
Tumbleweed is subject to what was termed "usrmerge". Basically, there are no more DEFAULTS in /etc - all the default configurations are now in /usr/etc. But when you make modifications they still go into /etc.
There is more to it than just that but for your purpose that should be sufficient, anyway you still make your modifications in the same place, you just find the defaults in /usr/etc now.
Thanks for the heads-up. Is this documented somewhere ? I don't quite understand the reason to do all this. Cheers, Niki -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
Am Mittwoch, 17. August 2022, 09:42:20 CEST schrieb Nicolas Kovacs:
Is this documented somewhere ? I don't quite understand the reason to do all this.
https://en.opensuse.org/openSUSE:Usr_merge Cheers MH -- Mathias Homann Mathias.Homann@openSUSE.org OBS: lemmy04 Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on liberachat and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
Le 17/08/2022 à 09:51, Mathias Homann a écrit :
Am Mittwoch, 17. August 2022, 09:42:20 CEST schrieb Nicolas Kovacs:
Is this documented somewhere ? I don't quite understand the reason to do all this.
https://en.opensuse.org/openSUSE:Usr_merge
Cheers MH
Thanks very much ! -- Microlinux - Solutions informatiques durables 7, place de l'église - 30730 Montpezat Site : https://www.microlinux.fr Blog : https://blog.microlinux.fr Mail : info@microlinux.fr Tél. : 04 66 63 10 32 Mob. : 06 51 80 12 12
On 17.08.2022 10:51, Mathias Homann wrote:
Am Mittwoch, 17. August 2022, 09:42:20 CEST schrieb Nicolas Kovacs:
Is this documented somewhere ? I don't quite understand the reason to do all this.
Which is completely unrelated to moving default configuration files to /usr. https://en.opensuse.org/openSUSE:Packaging_UsrEtc
Am Mittwoch, 17. August 2022, 10:59:04 CEST schrieb Andrei Borzenkov:
On 17.08.2022 10:51, Mathias Homann wrote:
Am Mittwoch, 17. August 2022, 09:42:20 CEST schrieb Nicolas Kovacs:
Is this documented somewhere ? I don't quite understand the reason to do all this.
Which is completely unrelated to moving default configuration files to /usr.
.. I thought that was all part of it. my bad. -- Mathias Homann Mathias.Homann@openSUSE.org OBS: lemmy04 Jabber (XMPP): lemmy@tuxonline.tech Matrix: @mathias:eregion.de IRC: [Lemmy] on liberachat and ircnet (bouncer active) keybase: https://keybase.io/lemmy gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
On 8/17/22 02:42, Nicolas Kovacs wrote:
Thanks for the heads-up.
Is this documented somewhere ? I don't quite understand the reason to do all this.
Cheers,
Niki
Most distros have started this push toward what was envisioned as LSB a decade of more ago. Arch completed the merge several years ago. There is some quirkiness in where things actually end up, some arbitrariness as well, but so long as all (most) distros stick to the plan it will make things easier to maintain cross distro. (not that it was that hard before) The ultimate goal is to create an environment for container'ized apps to know where everything is. (I think container'ized apps are junk and a kludge for those to lazy to manage a package tailored for the distro, and they are disk-storage hogs, but that's just my .02) Sure, require 3 separate instances of apache to run, one for your groupware, one for your nextcloud, and one for your normal site pages -- makes sense to me (not). Why? (the real reason is people are too dumb to set the servers up with the dependencies and configs, so just wrap it all in a container and tell them how to type "start foo.img" and "stop foo.img" -- and that's supposed to help. At least the latest push to LSB is a good effort -- so long as it isn't solely to usher in containers, flatpacks, appimg, docker and all the other current trendy sandboxes. -- David C. Rankin, J.D.,P.E.
On Wed, 17 Aug 2022 09:11:19 +0200 Mathias Homann wrote:
Am Mittwoch, 17. August 2022, 08:56:10 CEST schrieb Nicolas Kovacs:
To do this, I opened /etc/ssh/ssh_config and found the relevant stanza:
I simply commented this out and reloaded SSH:
# systemctl reload sshd
I tried to do this with Tumbleweed, but I don't have an /etc/ssh/ssh_config file. Instead, I only have an empty /etc/ssh/ssh_config.d directory. So I guess my SSH client has all default values defined at build time.
Hi,
Tumbleweed is subject to what was termed "usrmerge". Basically, there are no more DEFAULTS in /etc - all the default configurations are now in /usr/etc. But when you make modifications they still go into /etc.
There is more to it than just that but for your purpose that should be sufficient, anyway you still make your modifications in the same place, you just find the defaults in /usr/etc now.
I have used a modified sshd_config for many years on Leap and earlier openSUSE systems. When I moved to using Tumbleweed recently, I was unaware of 'usrmerge' and simply copied the modified sshd_config file from my backup into /etc/ssh/. Will future upgrades overwrite my /etc/ssh/sshd_config file. Should I preempt this by # cp /usr/etc/ssh/sshd_config /etc/ssh/sshd_config and then adding my changes to /etc/ssh/sshd_config.d/override.conf, for example. This would presumably make my system usrmerge-compliant, at least with respect to sshd. Thanks Bob -- Bob Williams No HTML please. Plain text preferred. https://useplaintext.email/
On 8/17/22 15:20, Bob Williams wrote:
I have used a modified sshd_config for many years on Leap and earlier openSUSE systems. When I moved to using Tumbleweed recently, I was unaware of 'usrmerge' and simply copied the modified sshd_config file from my backup into /etc/ssh/.
Will future upgrades overwrite my /etc/ssh/sshd_config file. Should I preempt this by > # cp /usr/etc/ssh/sshd_config /etc/ssh/sshd_config
If you copied it to /etc/ssh/sshd_config, keep in mind this file is no longer part of the configfiles but it will be used by default. Effectively, you will override the package default config and it will never change, etc. /usr/etc/ssh/sshd_config will not be used.
and then adding my changes to /etc/ssh/sshd_config.d/override.conf, for example. This would presumably make my system usrmerge-compliant, at least with respect to sshd.
This is how you are suppose to do the changes in the first places ;) The ideal system-wide changes are in files in /etc/ssh/sshd_config.d/*.conf files, and not to have /etc/ssh/sshd_config. And yes, currently this doesn't allow you do prevent sending default language env to server. - Adam
On Mon, 22 Aug 2022 14:47:24 +0200 Adam Majer wrote:
On 8/17/22 15:20, Bob Williams wrote:
I have used a modified sshd_config for many years on Leap and earlier openSUSE systems. When I moved to using Tumbleweed recently, I was unaware of 'usrmerge' and simply copied the modified sshd_config file from my backup into /etc/ssh/.
Will future upgrades overwrite my /etc/ssh/sshd_config file. Should I preempt this by > # cp /usr/etc/ssh/sshd_config /etc/ssh/sshd_config
If you copied it to /etc/ssh/sshd_config, keep in mind this file is no longer part of the configfiles but it will be used by default. Effectively, you will override the package default config and it will never change, etc. /usr/etc/ssh/sshd_config will not be used.
and then adding my changes to /etc/ssh/sshd_config.d/override.conf, for example. This would presumably make my system usrmerge-compliant, at least with respect to sshd.
This is how you are suppose to do the changes in the first places ;)
The ideal system-wide changes are in files in /etc/ssh/sshd_config.d/*.conf files, and not to have /etc/ssh/sshd_config.
And yes, currently this doesn't allow you do prevent sending default language env to server.
- Adam
Thank you for the clarification. -- Bob Williams No HTML please. Plain text preferred. https://useplaintext.email/
On 8/17/22 08:56, Nicolas Kovacs wrote:
To do this, I opened /etc/ssh/ssh_config and found the relevant stanza:
SendEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES SendEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT SendEnv LC_IDENTIFICATION LC_ALL
I simply commented this out and reloaded SSH:
# systemctl reload sshd
First, you are confusing different things here. ssh_config is for the *client*, the /usr/bin/ssh binary used to connect to the server. The thing you restarted is the server sshd, which listens for ssh client connections. You don't need sshd running (and should not have it running) if you are not connecting to that machine. Secondly, for client configuration, the best place is to edit them in ~/.ssh/config . The configuration read order is actually documented right at the top of the manpage for ssh client man ssh_config (there is also manpage for sshd_config) Finally, the configuration setup for SSH is a little strange -- first encountered configuration is the configuration used. Followup configuration encountered does *not* override what was seen before, which is a little counter-intuitive. But then there is SendEnv, which allow you to specify more than one thing on multiple lines which seems against the general setup of the configuration file. Due to this inconsistency, I was not able to override the system config file in this case, which is not good. ssh -v root@vs2 OpenSSH_8.4p1, OpenSSL 1.1.1d 10 Sep 2019 debug1: Reading configuration data /home/adamm/.ssh/config debug1: /home/adamm/.ssh/config line 1: Applying options for vs2 debug1: /home/adamm/.ssh/config line 17: Applying options for * debug1: Reading configuration data /etc/ssh/ssh_config debug1: /etc/ssh/ssh_config line 20: Applying options for * ... debug1: Sending env LANG = en_US.UTF-8 So, I made a bug report for this that you can add yourself to, if you want. https://bugzilla.suse.com/1202475 - Adam
participants (6)
-
Adam Majer -
Andrei Borzenkov -
Bob Williams -
David C. Rankin -
Mathias Homann -
Nicolas Kovacs