How to Configure SSH Environment Variables Using PermitUserEnvironment in sshd_config


2 views

When working with SSH connections between Linux machines, you might need to pass specific environment variables to remote sessions. The PermitUserEnvironment option in sshd_config controls this behavior, but proper configuration requires several precise steps.

Here's the complete correct procedure to set up environment variables through SSH:

# On the server (client2 in your case):
# 1. Edit sshd_config
sudo vim /etc/ssh/sshd_config
# Add or modify this line:
PermitUserEnvironment yes

# 2. Create the environment file (note correct path)
sudo mkdir -p ~/.ssh
echo "Hi=Hello" > ~/.ssh/environment

# 3. Set correct permissions
chmod 600 ~/.ssh/environment
chmod 700 ~/.ssh

# 4. Restart SSH service
sudo systemctl restart sshd

If the variable still doesn't appear, check these aspects:

# Verify SSH configuration
ssh -T root@client2 env | grep Hi

# Check SELinux status (if enabled)
getenforce

# Confirm the environment file location:
# It must be in ~/.ssh/environment for the connecting user

For more complex scenarios, consider these approaches:

# Global environment variables (affects all users)
# Create /etc/environment with your variables
# Then in sshd_config:
PermitUserEnvironment yes
AcceptEnv Hi OTHER_VAR

# User-specific variables
# Create ~/.ssh/environment with:
Hi=Hello
PATH=$PATH:/custom/path

Note that enabling PermitUserEnvironment has security implications:

  • Environment variables can potentially leak sensitive information
  • Malicious users could set harmful variables
  • Consider restricting with Match blocks in sshd_config
# Example of restricted configuration:
Match User trusteduser
    PermitUserEnvironment yes
Match all
    PermitUserEnvironment no

When administering Linux systems, you might need to pass specific environment variables through SSH connections. The standard ssh command filters most environment variables by default due to security considerations in sshd_config.

The PermitUserEnvironment option in /etc/ssh/sshd_config controls whether users can specify environment variables for their SSH sessions. By default, this is set to no for security reasons.

Here's how to properly configure it:

# 1. Edit sshd_config
sudo vi /etc/ssh/sshd_config
# Add or modify:
PermitUserEnvironment yes

# 2. Create environment file
mkdir -p ~/.ssh
echo "MY_VAR=my_value" >> ~/.ssh/environment

# 3. Set correct permissions
chmod 600 ~/.ssh/environment
chmod 700 ~/.ssh

# 4. Restart SSH service
sudo systemctl restart sshd

For system-wide variables or when you can't modify user home directories:

# Global environment file
sudo vi /etc/environment
# Add your variables:
GLOBAL_VAR=global_value

# Or force through SSH command:
ssh user@host "export MY_VAR=value && env"
  • Verify SSH configuration with sshd -T | grep environ
  • Check logs with journalctl -u sshd or /var/log/auth.log
  • Ensure SELinux isn't blocking file access: restorecon -Rv ~/.ssh

While useful, PermitUserEnvironment can expose sensitive information. Best practices include:

  • Restrict to specific users with Match User blocks
  • Set strict file permissions (600 for environment files)
  • Consider using AcceptEnv for specific variables instead