In openSUSE Tumbleweed, the default SSH configuration includes SendEnv lines that pass your locale settings to the remote host. This caused problems with my IRC client, completely breaking scandic characters.
Since the SSH config file under /usr/etc/ssh/ shouldn’t be edited, what is the best way to exclude SendEnv from my SSH settings?
I copied the ssh_config file from /usr/etc/ssh/ to /etc/ssh/ssh_config.d/, commented out the SendEnv lines and renamed the file to NoSendEnv.conf. I also had to remove the lines that tell the config to include /etc/ssh/ssh_config.d/ and /etc/ssh/sshd_config.d/, otherwise I got an error because of the recursion (the file telling it to include itself).
You can pass options on the ssh command-line using -o, or you could do host-specific settings using a setting in ~/.ssh/config if it’s just a specific host.
But for a system-wide setting, copying the config from the /usr/etc/ssh to /etc/ssh seems good, or you could just add a file to /etc/ssh/sshd_config.d - it’s my understanding that that should work.
Here’s a page that talks about how the change for /usr/etc was designed.
I would prefer to not use SendEnv for any hosts I connect to, so a config file under my home directory is not necessary.
I was wondering if there is a minimalist/elegant way to tell the default config to just ignore the SendEnv lines? Copying the entire config file to another location and then altering it feels redundant, although if it works, it works.
@hyperdolphins You don’t need to whole file, just the env settings you want to override from the default. This file resides in the relevant .d directory.
Yes, I understand the principle. But I would like to disable the default SendEnv completely. So instead of copying the entire default config to ssh_config.d and commenting out the SendEnv lines, is there another way to reach the same result?
Unfortunately I do not have admin privileges on the host machine so I can’t prevent it from accepting environment variables through SSH.
Thanks for the tip. I noticed that after this the manual states
The default is not to send any environment variables.
But since SendEnv is included in /usr/etc/ssh/ssh_config, which is the openSUSE default, is there a way to revert to the actual stated default behavior using a config file in /etc/ssh/ssh_config.d/?
Other than copying over the entire config and commenting out the SendEnv lines.
Or did you mean that sending the - prefixed entries would be a workaround for this?
I feel like may be asking dumb questions but that’s the way to learn.
I created a file /etc/ssh/ssh_config.d/10-ssh-ClearSendEnv.conf which consists of just
SendEnv -*
Then I did sudo systemctl restart sshd
The host machine still ended up with my system locale that’s using different languages for different things and this completely breaks the character coding in irssi.
Yes, SendEnv in /usr/etc/ssh/ssh_config comes after Include, so anything you create in /etc/ssh/ssh_config.d comes before these directives and so cannot clear them. For the same reason it cannot be cleared in the user ssh_config (which is processed before the system-wide file).
At this point your only solution is to override /usr/etc/ssh/ssh_config with /etc/ssh/ssh_config. You can also use ssh -F config_file which will ignore any user and system defaults.
I do not see how it can be solved in general. The semantic of OpenSSH configuration files are rather weird. In most cases the first directive wins (so overrides go first), but some options are cumulative.
Also OpenSSH does not support the usual rule “files in /etc override files with the same name in /usr/etc” - everything is read literally.
Partial workaround is moving SendEnv directive before Include /etc/ssh/ssh_config.d/*.conf. This should at least allow overriding it locally (still not for individual users though).
Thanks. Creating a copy of /usr/etc/ssh/ssh_config to /etc/ssh/ssh_config and then commenting out the SendEnv lines in the copied file seems to work.
In my first post I was asking if there’s a more elegant solution but it seems copying the entire config file is the only way, since no matter what I tried to put in /etc/ssh/ssh_config.d/foo.conf or ~/.ssh/config it would always get overridden by SendEnv in /usr/etc/ssh/ssh_config.
I checked with SSH -v and each time after a successful login I saw SendEnv sending the environment variables.
My experience is that there are basically two ways the handling of “installed config” vs. “overruling system managers config” is done:
first reading the “installed config” and then using the statements from the “overruling config” (if existing) one by one to overwrite the already read values;
checking if an “overruling config” exists and then taking that instead of the “installed config”.
As I see it people here advised on thinking that method #1 is used by SSH and your experience points to #2 being used in reality.
Always confusing.
Yet it is what happened yesterday after running zypper dup.
I’ll file a bug report and see where things go from there.
I’m sorry, I misinterpreted you because I thought that /usr/etc/ssh/ssh_config resetting was intended behavior, or that it should not be touched. The file itself tells not to touch it:
# Don't edit this configuration file itself if possible to avoid update
# problems.
Oh, you talk about /usr/etc/ssh/ssh_config. I never suggested editing it. I suggested opening bug report so the OpenSSH maintainers could release new package version with the proposed changes (or any other changes they consider appropriate).
