Search code examples
variablessshenvironmentsusesshd

sshd prints environment variables at start of every ssh session

I have a server that prints several environment variables after every ssh login, and I need to disable that printing. E.g.

server2:~ # ssh root@server1
This is the banner.  It resides in /etc/banner
Password:
Environment:
  USER=root
  LOGNAME=root
  HOME=/root
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/mail/root
  SHELL=/bin/bash
  SSH_CLIENT=192.168.0.3 57287 22
  SSH_CONNECTION=192.168.0.3 57287 192.168.0.1 22
  SSH_TTY=/dev/pts/3
  TERM=xterm
server1:~ #

The printing of the variables is not done by the banner. I added a banner and see that its printout occurs before the password is entered, while the variables are printed after the password is entered. The sshd service is not running in debug mode, which I've confirmed from ps -aux | grep sshd.

server1:~ # ps aux | grep sshd
root       647  0.0  0.0   3844   340 ?        Ss   16:33   0:00 monitord: sshd
root       648  0.0  0.0  53996  2568 ?        S    16:33   0:01 /usr/sbin/sshd -D
root       650  0.0  0.0   3844   336 ?        Ss   16:33   0:00 monitord: sshd_internal                                                    
root       651  0.0  0.0  53996  2544 ?        S    16:33   0:00 /usr/sbin/sshd -D -f /etc/ssh/sshd_config_internal

There's no /root/.ssh/ files that would do this:

server1:~ # ls -a /root/.ssh
.  ..  authorized_keys  id_rsa  id_rsa.pub  known_hosts

And I haven't found anything in the /etc/ssh/sshd_config file that I would expect could impact this. I was able to disable the "Last login" information which appears immediately before the variables by setting PrintLastLog to no, and I've also set PrintMotd to no. I've tried another sshd binary from a server which does not print the variables, and that binary also prints the variables. So I know it's not the sshd binary itself, but some configuration on the server. I'm just at a loss for what else could be printing those variables.

And if it helps, when I run a command directly from ssh from another node, the printout of the command occurs after the variables. E.g.

server2:~ # ssh server1 ls
This is a test.  I reside in /root/testBanner
Password:
Environment:
  USER=root
  LOGNAME=root
  HOME=/root
  PATH=/usr/bin:/bin:/usr/sbin:/sbin
  MAIL=/var/mail/root
  SHELL=/bin/bash
  SSH_CLIENT=192.168.0.3 57335 8022
  SSH_CONNECTION=192.168.0.3 57335 192.168.0.1 8022
file1
file2    <---- output of ssh command "ls" occurs after variables
file3
server2:~ #

I've even tried creating a new user, with no ~/.bashrc ~/.profile, etc configuration files, and when ssh'ing as that user, it displays the variables also.

Also, I'm running SUSE 11 

server1:~ # cat /etc/SuSE-release
SUSE Linux Enterprise Server 11 (x86_64)
VERSION = 11
PATCHLEVEL = 1

The version of SSHD:

OpenSSH_5.1p1, OpenSSL 0.9.8j-fips 07 Jan 2009

Here is the init script

# cat /etc/init.d/sshd
#!/bin/bash
#
# /etc/init.d/lde-sshd: start/stop ssh daemon
#

### BEGIN INIT INFO
# Provides:       sshd
# Required-Start: $network $syslog
# Required-Stop: $network $syslog
# Should-Start: lde
# Default-Start:  3
# Default-Stop:
# Description:    Secure shell deamon
### END INIT INFO

. /usr/lib/lde/lde.functions

check_node_type control payload detached standalone

lde_init_status_init lde-sshd

ADDITIONAL=$(
cd /etc/ssh/
shopt -s nullglob
for i in sshd_config_*; do
        echo ${i#sshd_config_};
done
)

case $1 in
        start)
                echo -n "Starting SSH daemon "
                if ! /usr/bin/monitord -n sshd -c "/usr/sbin/sshd -D"; then
                        panic "Failed to start SSH daemon"
                fi
                lde_init_status_start $?
                for i in $ADDITIONAL; do
                        echo -n "Starting $i SSH daemon "
                        if ! /usr/bin/monitord -n sshd_$i -c "/usr/sbin/sshd -D -f /etc/ssh/sshd_config_$i"; then
                                panic "Failed to start $i SSH daemon"
                        fi
                        lde_init_status_start $?
                done
                ;;
        stop)
                echo -n "Stopping SSH daemon "
                /usr/bin/monitord -n sshd -k
                lde_init_status_stop $?
                for i in $ADDITIONAL; do
                        echo -n "Stopping $i SSH daemon "
                        /usr/bin/monitord -n sshd_$i -k
                        lde_init_status_stop $?
                done
                ;;
        restart)
                $0 stop
                $0 start
                lde_init_status_silent $?
                ;;
        status)
                echo -n "Checking SSH daemon "
                lde_init_srv_status_check /usr/bin/monitord -n sshd -s
                for i in $ADDITIONAL; do
                        echo -n "Checking $i SSH daemon "
                        lde_init_srv_status_check /usr/bin/monitord -n sshd_$i -s
                done
                ;;
        *)
                echo "usage: $0 [start|stop|restart|status]"
                lde_init_error_unknown_option
                ;;
esac

lde_init_status_report

# End of file

As commented below, I discovered the issue is with apparmor using the same variable (debug_flag) and setting sshd's debug_flag to 1 when it sets its own debug_flag to 1. I don't know how the two programs can be using the same variable/address space, but I stepped through the code with gdb and see that apparmor and sshd were using the same address for their debug_flags. Perhaps this issue was already resolved in later versions of apparmor or sshd.

Solution

  • This means the server is running in debug mode. Have a look to init script or systemd units or whatever is your Suse using and remove the -d options.

    service should start with these options (from Fedora):

    /usr/sbin/sshd -D $OPTIONS

    Also make sure how are defined your $OPTIONS or other environment variable appended to the commandline.