ssh SendEnv does not work when used with -J (jump host)?

Question

Edit: The hint for restarting ssh after editing /etc/ssh/sshd_config solved my issue (sudo systemctl restart ssh.service on Ubuntu) but see the accepted answer for a lot more of useful troubleshooting.

Original:

I have a server which I connect to via a jump host:

export MY_ENV=myvalue
ssh -o StrictHostKeyChecking=yes -o SendEnv=MY_ENV -J <myuser@jumpHostIp> <myuser@hostIp>

Both the jump host and the host have in their /etc/ssh/sshd_config:

AcceptEnv MY_ENV

Both the jump host and the host have in their /home/myuser/.ssh/authorized_keys the ssh key limiting myuser to a deploy script:

command=/home/myuser/deploy.sh ...rest of public key...

Inside this deploy.sh I would like to use $MY_ENV, however it does not work.

Is using a jump host somehow dropping the value of MY_ENV transfered by SendEnv? If yes is this intended or how can I access the value of MY_ENV in deploy.sh on the host?

Answer 1

Edit: I refined the details regarded during our iteration process, partly dubbing some details already named in the question for better general use.

---

The man page of ssh states:

Note that configuration directives supplied on the command-line generally apply to the destination host and not any specified jump hosts. Use ~/.ssh/config to specify configuration for jump hosts.

So your final destination will receive the options added by -o. As the options are not touched by the jump host, it is not necessary to configure the jump host for the variables to pass to the destination host.

Config of sshd at the destination server

As a prerequisite the destination-host's sshd service has to be configured to accept the environment variable. Wildcards are allowed:

File: /etc/ssh/sshd_config

AcceptEnv MY_*

After a change of the sshd_config the sshd has to be restarted to read the updated configuration.
(the solution for this question ...)

systemctl restart sshd

The current connection will persist, when restarting the sshd (at least when using "openssh-server"

Pitfall in authorized_keys

To limit the key-usage at the destination system, an option can be added to the authorization.

File: authorized_keys with limitation to a command

The whole PublicKey-Authentication will fail, when omitting the " quotations enclosing the value of the command option:

command=/home/user/deploy.sh ssh-rsa AAAAB3NzaC1yc2EAA...

# DEBUG response of sshd:
debug1: /home/user/.ssh/authorized_keys:1: bad key options: missing start quote

Depending on the settings in sshd_config a fallback to password based authentication, respectively a Permission denied (publickey). will follow.

The " quotations are required, even if there is no white space in the command:

command="/home/user/deploy.sh" ssh-rsa AAAAB3NzaC1yc2EAA...

Details for the client's command

Note: Besides the command-line options these details can be configured at the client user's ~/.ssh/config.

To pass the desired variable as option at the command-line two variants are possible as syntax:

-o SendEnv=MY_ENV
-o "SendEnv MY_ENV"

Please do not forget the " quotes.

Essential for the availbility of the variable is not only to set it, you have to export it:

This will fail:

MY_ENV="Value"
echo $MY_ENV
Value

... despite the fact that the variable shows up in the current shell.

Required:

export MY_ENV="Value"