FR: Environment variables through SSH

wiredfool commented 1 year ago

What are you trying to do?

I'm trying to set environment variables on the remote server.

In ~/.ssh/config (or for testing, using ssh -o SendEnv=GIT_COMMITTER_NAME server)

host *
    SendEnv GIT_COMMITTER_NAME GIT_COMMITTER_EMAIL GIT_AUTHOR_EMAIL GIT_AUTHOR_NAME EDITOR

and a corresponding sshd_config of:

AcceptEnv LANG LC_* GIT_* EDITOR

Logging into the server using the host ssh daemon sets environment variables in the login shell as expected:

local $ printenv | grep GIT
GIT_COMMITTER_NAME=foo
local $ ssh -o SendEnv=GIT_COMMITTER_NAME server
...
server $ printenv | grep GIT
GIT_COMMITTER_NAME=foo

Doing the same via the tailscale ssh doesn't set the environment variables.

local $ ssh -o SendEnv=GIT_COMMITTER_NAME server.tsnet
...
server $ printenv | grep GIT
server $

How should we solve this?

Either document the way to set AcceptEnv for the tailscale ssh daemon, or set some way of doing it.

What is the impact of not solving this?

It's currently a speed bump in a rollout where there are destinations that need to have different git preferences, depending on which identity is logging into the server, using the users: [autogroup:noroot] acl.

The existing system currently works (system sshd), but has all of the drawbacks of not using tailscale ssh.

Anything else?

No response

elcajon commented 8 months ago

I ran into the same problem today. @wiredfool have you found a workaround to get it running via Tailscale?

reesericci commented 8 months ago

Running into this when trying to setup console1984, rails console audits, and want to pass through the real tailscale user accessing the system - since a rogue person could login as any system user, not necessarily one that corresponds to the TS one.

ChrisHills463 commented 2 weeks ago

It looks like this was fixed in v1.76.0

https://tailscale.com/changelog#2024-10-10

tailscale / tailscale