Can I forward env variables over ssh?_问答_开发者

开发者 https://www.devze.com 2023-01-30 03:20 出处：网络

I work with several different servers, and it would be useful to be able to set some environment variables such that they are active on all of them when I SSH in. The problem is, the contents of some

I work with several different servers, and it would be useful to be able to set some environment variables such that they are active on all of them when I SSH in. The problem is, the contents of some of the variables contain sensitive information (hashed passwords), and so I don't want to leave it lying around in a .bashrc file -- I'd like to keep it on开发者_如何学运维ly in memory.

I know that you can use SSH to forward the DISPLAY variable (via ForwardX11) or an SSH Agent process (via ForwardAgent), so I'm wondering if there's a way to automatically forward the contents of arbitrary environment variables across SSH connections. Ideally, something I could set in a .ssh/config file so that it would run automatically when I need it to. Any ideas?

You can, but it requires changing the server configuration.

Read the entries for AcceptEnv in sshd_config(5) and SendEnv in ssh_config(5).

update:

You can also pass them on the command line:

ssh foo@host "FOO=foo BAR=bar doz"

Regarding security, note than anybody with access to the remote machine will be able to see the environment variables passed to any running process.

If you want to keep that information secret it is better to pass it through stdin:

cat secret_info | ssh foo@host remote_program

You can't do it automatically (except for $DISPLAY which you can forward with -X along with your Xauth info so remote programs can actually connect to your display) but you can use a script with a "here document":

ssh ... <<EOF
export FOO="$FOO" BAR="$BAR" PATH="\$HOME/bin:\$PATH"
runRemoteCommand
EOF

The unescaped variables will be expanded locally and the result transmitted to the remote side. So the PATH will be set with the remote value of $HOME.

THIS IS A SECURITY RISK Don't transmit sensitive information like passwords this way because anyone can see environment variables of every process on the same computer.

Something like:

ssh user@host bash -c "set -e; $(env); . thescript.sh"

...might work (untested)

Bit of a hack but if you cannot change the server config for some reason it might work.