How do I forward environment variables using OpenSSH?

You can forward environment variables by using SendEnv in your SSH client's ~/.ssh/config and AcceptEnv in the server’s sshd_config. Ensure PermitUserEnvironment is enabled server-side.

What is the purpose of PermitUserEnvironment in sshd_config?

PermitUserEnvironment allows the SSH server to accept environment variables defined by the client, which are then available in the user's session after login.

Can I use SSH to pass custom API keys securely?

Yes, you can pass API keys or other sensitive variables using the SendEnv directive combined with specific AcceptEnv configuration on the server. Avoid using wildcards for security.

How can I debug if my SSH environment variables are forwarded?

After connecting, run the command 'env' or use 'echo $variablename' to verify if your custom variables are present in the session.

Is it safe to use AcceptEnv * on the server?

No, it is more secure to explicitly list only the environment variables you intend to accept. Using a wildcard can introduce unwanted or insecure variables.

HiddenSSH - Secure OpenSSH Hardening | SSH Client Environmental Variables

Setting Environment Variables in .ssh/config (Client-Side)

On the SSH client, environment variables are defined using SendEnv inside ~/.ssh/config:

                                          
Host remote-server
    SendEnv OPENAI_API_KEY DATABASE_URL

SendEnv → Specifies which environment variables should be sent to the SSH server.
OPENAI_API_KEY → Example of an API key variable used for OpenAI authentication.
DATABASE_URL → Example of a database connection string for web applications.

Alternatively, you can set and pass an environment variable inline when connecting:

                                          

OPENAI_API_KEY="sk-abcdef123" ssh user@remote-server

SSH Client Config Settings

Some settings to speed up the connection process

Host * means apply to all servers

$HOME/.ssh/config file settings, needs to be added.

                                                                         

Host *
  LogLevel QUIET
  PreferredAuthentications publickey
  PubkeyAcceptedKeyTypes ssh-ed25519
  CheckHostIP yes
  RekeyLimit 4G 1h
  PasswordAuthentication no
  MACs hmac-sha2-512-etm@openssh.com
  Ciphers aes256-gcm@openssh.com
  HostbasedAuthentication yes
  GSSAPIAuthentication no
  GSSAPIDelegateCredentials no

# - Private cloud 
# Setenv needs to be in 1 line, wont work otherwise
# to debug commands: env alternative echo $variable
#
host hiddenssh
  hostname hiddenssh.com
  user USERNAME
  port 22
  RequestTTY yes
  setenv hiddenssh="HiddenSSH v1" openaikey="0" oraclesecretkey="0" oracleauthtoken="0"

In order for the SSH client config environmental variables to work, it's necessary to set the sshd_config server-side to accept these variables and enable the PermitUserEnvironment yes setting in sshd_config.

                                              

PermitUserEnvironment yes

# Accept locale-related environment variables
# -------------------------------------------
AcceptEnv *

# Accept locale-related environment variables
# -------------------------------------------
AcceptEnv hiddenssh oepnaikey oraclesecretkey oracleauthtoken

It is a better security practice to only accept the environmental variables that you want to push to the remote server, instead of using a wildcard (*) which can pose a security risk.

You can check that everything is pushing up correctly just by logging in afterwards and running the command env, or alternatively, echo $hiddenssh.