All Versions of Centrify Direct Control
When a user logins into a UNIX or Linux platform using a SSH client, the PATH environment variable is set. This article describes how the PATH variable is set by Centrify SSH daemon.
When the Centrify sshd login begins the PATH variable is empty. The sshd will not use the PATH value that is set in the initiating process.
Step 1) If 'UseLogin' is disabled (as is default) in sshd_config, then sshd will do these steps in sequence:
a) On Solaris, the Centrify SSH daemon will source the PATH from /etc/default/login. This is not applicable on other platforms.
b) If PATH is now empty, then Centrify sshd will insert the value of the 'DefEnvPATH' into the PATH
c) If PATH is now empty, then Centrify sshd will set PATH to the different hardcoded path values depending if the user is root or non-root.
for root the path becomes:
for a non-root user, the path becomes:
Step 2) Next if 'UsePam' is enabled (as default) in sshd_config, Centrify sshd will get the PATH value set previously by PAM:
a) PAM will setup PATH using pam_env.so. This step is platform specific. For example, on Ubuntu, the pam_env.so may read /etc/environment for the value. For the details on what pam_env.so does, please check pam_env manual page.
b) The PATH from PAM will overwrite the previously set PATH value
c) It is also possible that another module in the sshd pam stack may set PATH internally.
Step 3) Then if 'PermitUserEnvironment' is enabled (disabled as default) and 'UseLogin' is disabled in sshd_config, the Centrify sshd will get the PATH from $HOME/.ssh/environment. This PATH will overwrite the PATH previously setup.
Now the PATH is the one that is final for sshd and it is used to call the SHELL.
Step 4) There is one final modification. When the SHELL is running, it (the shell) may modify PATH according to its rc settings. Please see the system shell manual pages for details.
The final PATH that can be seen by the user in the shell is set by many different means including shell config, sshd config, user ssh-config, pam config, system config and the platform itself.