On September 10, 2021 6:37 AM, Jochen Bern wrote: >Jochen Bern wrote on Thu, Sep 09, 2021 at 08:28:27PM +0200: > >> What you could ask for *here* is that OpenSSH stops supporting SendEnv >> / AcceptEnv altogether - but I have a hunch that you'll need a much >> more convincing case to get *that* thermonuclear solution. > >I realize you may not be serious about this - but just in case someone thinks you are: that is hardly a solution, and much less a >"thermonuclear" one, because some operating systems and operating system distributions have been known at various times in the past >for patching features back in after said features had been removed from upstream software for security reasons. > >Besides, passing environment variables may occasionally be a useful feature in unusual situations for very experienced users who know >what they are doing, especially in configuration stanzas where both the client host and the server host are tightly defined. Needless to >say, passing LC_* is usually *not* useful because defining it statically on both sides is usually simpler and more robust. But >*other* variables may be worth passing in special configurations. >Passing variables by default, even for users who may have no idea what is happening and what the security implications are, and *for all >hosts*, certainly doesn't look like a particularly smart idea to me personally. There are some subsystems, like git, which pass critical environment variables to the SSH server environment that control its operation. Without those variables, git will be handcuffed. The thermonuclear option is not viable in the long-term. Locale is a different subject, I think. -Randall _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev