fix: switch SSH env forwarding from SetEnv to SendEnv, restrict AcceptEnv

SetEnv exposes secret values in process argv (visible via ps aux).
SendEnv only puts key names in argv — values are read from the process
environment by the SSH client.

Also restricts AcceptEnv from wildcard (*) to only the specific variable
names configured in env.forward, preventing arbitrary env injection by
other SSH clients connecting to the container.

Closes #8

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: deevus

cmd/root.go

@@ -3,6 +3,7 @@ package cmd
 import (
 	"fmt"
 	"os"
+	"sort"
 	"strconv"
 	"strings"
 
@@ -93,6 +94,14 @@ func sandboxConfig() map[string]string {
 	if len(cfg.Defaults.DNS) > 0 {
 		m["dns"] = strings.Join(cfg.Defaults.DNS, ",")
 	}
+	if len(cfg.EnvForward) > 0 {
+		keys := make([]string, 0, len(cfg.EnvForward))
+		for k := range cfg.EnvForward {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+		m["env_forward_keys"] = strings.Join(keys, ",")
+	}
 
 	// Backend-specific keys.
 	switch cfg.Backend {

internal/ssh/console_unix.go

@@ -17,5 +17,9 @@ func Console(cc ConnConfig, remoteCmd string) error {
 		return fmt.Errorf("ssh binary not found: %w", err)
 	}
 	args := append([]string{"ssh"}, consoleArgs(cc, remoteCmd)...)
-	return syscall.Exec(sshBin, args, os.Environ())
+	environ := os.Environ()
+	if len(cc.Env) > 0 {
+		environ = EnvWithOverrides(environ, cc.Env)
+	}
+	return syscall.Exec(sshBin, args, environ)
 }

internal/ssh/console_windows.go

@@ -19,5 +19,8 @@ func Console(cc ConnConfig, remoteCmd string) error {
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
+	if len(cc.Env) > 0 {
+		cmd.Env = EnvWithOverrides(os.Environ(), cc.Env)
+	}
 	return cmd.Run()
 }

internal/ssh/ssh.go

@@ -22,7 +22,7 @@ type ConnConfig struct {
 	Host           string
 	User           string
 	KeyPath        string
-	Env            map[string]string // optional, for SetEnv forwarding
+	Env            map[string]string // optional, for SendEnv forwarding
 	KnownHostsPath string            // path to known_hosts file for accept-new verification
 }
 
@@ -75,6 +75,7 @@ func Exec(ctx context.Context, cc ConnConfig, command []string) (int, error) {
 	cmd.Stdin = os.Stdin
 	cmd.Stdout = os.Stdout
 	cmd.Stderr = os.Stderr
+	applyEnv(cmd, cc)
 
 	if err := cmd.Run(); err != nil {
 		var exitErr *exec.ExitError
@@ -91,6 +92,7 @@ func Exec(ctx context.Context, cc ConnConfig, command []string) (int, error) {
 func ExecQuiet(ctx context.Context, cc ConnConfig, command []string) (int, error) {
 	args := append(Args(cc), command...)
 	cmd := exec.CommandContext(ctx, "ssh", args...)
+	applyEnv(cmd, cc)
 
 	if err := cmd.Run(); err != nil {
 		var exitErr *exec.ExitError
@@ -107,6 +109,7 @@ func Output(ctx context.Context, cc ConnConfig, command []string) ([]byte, error
 	args := append(Args(cc), command...)
 	cmd := exec.CommandContext(ctx, "ssh", args...)
 	cmd.Stderr = os.Stderr
+	applyEnv(cmd, cc)
 	return cmd.Output()
 }
 
@@ -115,6 +118,7 @@ func Output(ctx context.Context, cc ConnConfig, command []string) ([]byte, error
 func OutputQuiet(ctx context.Context, cc ConnConfig, command []string) ([]byte, error) {
 	args := append(Args(cc), command...)
 	cmd := exec.CommandContext(ctx, "ssh", args...)
+	applyEnv(cmd, cc)
 	return cmd.Output()
 }
 
@@ -123,9 +127,17 @@ func OutputQuiet(ctx context.Context, cc ConnConfig, command []string) ([]byte,
 func TestAuth(ctx context.Context, cc ConnConfig) error {
 	args := append(Args(cc), "true")
 	cmd := exec.CommandContext(ctx, "ssh", args...)
+	applyEnv(cmd, cc)
 	return cmd.Run()
 }
 
+// applyEnv sets cmd.Env if the ConnConfig has env vars to forward via SendEnv.
+func applyEnv(cmd *exec.Cmd, cc ConnConfig) {
+	if len(cc.Env) > 0 {
+		cmd.Env = EnvWithOverrides(os.Environ(), cc.Env)
+	}
+}
+
 // Args builds the SSH command-line arguments for the given connection config.
 // It is exported for use by callers that need to construct custom exec.Cmd
 // with non-standard Stdin/Stdout/Stderr (e.g. sandbox backends).
@@ -145,30 +157,44 @@ func Args(cc ConnConfig) []string {
 	}
 
 	// Forward env vars via SSH protocol (requires AcceptEnv on server).
-	// All vars must be in a single SetEnv directive (multiple -o SetEnv
-	// flags don't stack in OpenSSH — only the first takes effect).
+	// SendEnv tells the client to read values from its own process
+	// environment — only key names appear in argv, not secret values.
 	if len(cc.Env) > 0 {
 		keys := make([]string, 0, len(cc.Env))
 		for k := range cc.Env {
 			keys = append(keys, k)
 		}
 		sort.Strings(keys)
-
-		var setenv strings.Builder
-		setenv.WriteString("SetEnv=")
-		for i, k := range keys {
-			if i > 0 {
-				setenv.WriteByte(' ')
-			}
-			fmt.Fprintf(&setenv, "%s=%s", k, cc.Env[k])
-		}
-		args = append(args, "-o", setenv.String())
+		args = append(args, "-o", "SendEnv="+strings.Join(keys, " "))
 	}
 
 	args = append(args, cc.User+"@"+cc.Host)
 	return args
 }
 
+// EnvWithOverrides returns a copy of base with entries from overrides
+// added or replaced. Used to inject env vars into the SSH process
+// environment so that SendEnv can forward them.
+func EnvWithOverrides(base []string, overrides map[string]string) []string {
+	env := make([]string, len(base))
+	copy(env, base)
+	for k, v := range overrides {
+		prefix := k + "="
+		found := false
+		for i, e := range env {
+			if strings.HasPrefix(e, prefix) {
+				env[i] = prefix + v
+				found = true
+				break
+			}
+		}
+		if !found {
+			env = append(env, prefix+v)
+		}
+	}
+	return env
+}
+
 // RemoveKnownHost removes all entries for the given host from the known_hosts
 // file. This is used to clean up stale entries when containers are
 // created, destroyed, or restored from snapshots. It is a no-op if the

internal/ssh/ssh_test.go

@@ -2,6 +2,7 @@ package ssh
 
 import (
 	"os"
+	"slices"
 	"strings"
 	"testing"
 )
@@ -92,7 +93,7 @@ func TestSSHArgs(t *testing.T) {
 		}
 	})
 
-	t.Run("SetEnv with env vars", func(t *testing.T) {
+	t.Run("SendEnv with env vars", func(t *testing.T) {
 		cc := ConnConfig{
 			Host: "10.0.0.1",
 			User: "pixel",
@@ -103,24 +104,27 @@ func TestSSHArgs(t *testing.T) {
 		}
 		args := Args(cc)
 
-		// All vars should be in a single SetEnv directive (space-separated,
-		// sorted by key), preceded by -o. Multiple -o SetEnv flags don't
-		// stack in OpenSSH — only the first takes effect.
-		want := "SetEnv=API_KEY=sk-secret GITHUB_TOKEN=ghp_abc123"
+		// SendEnv should contain only key names (sorted), no values.
+		// Values are read from the process environment by the SSH client.
+		want := "SendEnv=API_KEY GITHUB_TOKEN"
 		var found bool
 		for i, a := range args {
-			if strings.HasPrefix(a, "SetEnv=") {
+			if strings.HasPrefix(a, "SendEnv=") {
 				if i == 0 || args[i-1] != "-o" {
-					t.Errorf("SetEnv arg %q not preceded by -o", a)
+					t.Errorf("SendEnv arg %q not preceded by -o", a)
 				}
 				if a != want {
-					t.Errorf("SetEnv = %q, want %q", a, want)
+					t.Errorf("SendEnv = %q, want %q", a, want)
 				}
 				found = true
 			}
+			// Ensure no SetEnv (secrets in argv).
+			if strings.HasPrefix(a, "SetEnv=") {
+				t.Errorf("unexpected SetEnv arg %q — should use SendEnv", a)
+			}
 		}
 		if !found {
-			t.Error("SetEnv not found in args")
+			t.Error("SendEnv not found in args")
 		}
 
 		// user@host should still be last.
@@ -129,20 +133,20 @@ func TestSSHArgs(t *testing.T) {
 		}
 	})
 
-	t.Run("nil env produces no SetEnv", func(t *testing.T) {
+	t.Run("nil env produces no SendEnv", func(t *testing.T) {
 		args := Args(ConnConfig{Host: "10.0.0.1", User: "pixel"})
 		for _, a := range args {
-			if strings.HasPrefix(a, "SetEnv=") {
-				t.Errorf("unexpected SetEnv arg %q with nil env", a)
+			if strings.HasPrefix(a, "SendEnv=") {
+				t.Errorf("unexpected SendEnv arg %q with nil env", a)
 			}
 		}
 	})
 
-	t.Run("empty env produces no SetEnv", func(t *testing.T) {
+	t.Run("empty env produces no SendEnv", func(t *testing.T) {
 		args := Args(ConnConfig{Host: "10.0.0.1", User: "pixel", Env: map[string]string{}})
 		for _, a := range args {
-			if strings.HasPrefix(a, "SetEnv=") {
-				t.Errorf("unexpected SetEnv arg %q with empty env", a)
+			if strings.HasPrefix(a, "SendEnv=") {
+				t.Errorf("unexpected SendEnv arg %q with empty env", a)
 			}
 		}
 	})
@@ -253,15 +257,18 @@ func TestConsoleArgs(t *testing.T) {
 		}
 		args := consoleArgs(cc, "zmx attach build")
 
-		// Verify SetEnv is present.
-		var foundSetEnv bool
+		// Verify SendEnv is present (not SetEnv).
+		var foundSendEnv bool
 		for _, a := range args {
+			if strings.HasPrefix(a, "SendEnv=") {
+				foundSendEnv = true
+			}
 			if strings.HasPrefix(a, "SetEnv=") {
-				foundSetEnv = true
+				t.Errorf("unexpected SetEnv arg %q — should use SendEnv", a)
 			}
 		}
-		if !foundSetEnv {
-			t.Error("SetEnv not found in args")
+		if !foundSendEnv {
+			t.Error("SendEnv not found in args")
 		}
 
 		// Verify -t and command at end.
@@ -277,3 +284,48 @@ func TestConsoleArgs(t *testing.T) {
 		}
 	})
 }
+
+func TestEnvWithOverrides(t *testing.T) {
+	base := []string{"HOME=/home/user", "PATH=/usr/bin", "EXISTING=old"}
+
+	t.Run("overrides existing and adds new", func(t *testing.T) {
+		result := EnvWithOverrides(base, map[string]string{
+			"EXISTING": "new",
+			"NEW_VAR":  "value",
+		})
+
+		var foundExisting, foundNew bool
+		for _, e := range result {
+			if e == "EXISTING=new" {
+				foundExisting = true
+			}
+			if e == "NEW_VAR=value" {
+				foundNew = true
+			}
+			if e == "EXISTING=old" {
+				t.Error("old value should be overridden")
+			}
+		}
+		if !foundExisting {
+			t.Error("EXISTING not overridden")
+		}
+		if !foundNew {
+			t.Error("NEW_VAR not added")
+		}
+	})
+
+	t.Run("does not mutate base", func(t *testing.T) {
+		orig := slices.Clone(base)
+		_ = EnvWithOverrides(base, map[string]string{"EXISTING": "new"})
+		if !slices.Equal(base, orig) {
+			t.Error("base slice was mutated")
+		}
+	})
+
+	t.Run("nil overrides returns copy", func(t *testing.T) {
+		result := EnvWithOverrides(base, nil)
+		if !slices.Equal(result, base) {
+			t.Errorf("result = %v, want %v", result, base)
+		}
+	})
+}

sandbox/incus/backend.go

@@ -166,7 +166,7 @@ func (i *Incus) provisionInstance(ctx context.Context, full string) error {
 	i.mkdir(full, "/home/pixel", 0o755)
 	i.mkdir(full, "/home/pixel/.ssh", 0o700)
 	i.mkdir(full, "/etc/systemd/resolved.conf.d", 0o755)
-	i.mkdir(full, "/etc/ssh/sshd_config.d", 0o755)
+
 	i.mkdir(full, "/etc/profile.d", 0o755)
 	i.mkdir(full, "/etc/sudoers.d", 0o755)
 
@@ -181,11 +181,6 @@ func (i *Incus) provisionInstance(ctx context.Context, full string) error {
 		}
 	}
 
-	// sshd AcceptEnv config.
-	if err := i.pushFile(full, "/etc/ssh/sshd_config.d/pixels.conf", []byte("AcceptEnv *\n"), 0o644); err != nil {
-		return fmt.Errorf("writing sshd config: %w", err)
-	}
-
 	// Shell profile.
 	if err := i.pushFile(full, "/etc/profile.d/pixels.sh", []byte(scripts.PixelsProfile), 0o644); err != nil {
 		return fmt.Errorf("writing profile: %w", err)

sandbox/incus/config.go

@@ -38,8 +38,7 @@ type incusCfg struct {
 	allow     []string
 	dns       []string
 
-	env        map[string]string
-	envForward map[string]string
+	env map[string]string
 }
 
 // parseCfg extracts an incusCfg from a flat key-value map.

sandbox/truenas/backend.go

@@ -94,12 +94,13 @@ func (t *TrueNAS) Create(ctx context.Context, opts sandbox.CreateOpts) (*sandbox
 		steps := provision.Steps(t.cfg.egress, t.cfg.devtools)
 
 		provOpts := ProvisionOpts{
-			SSHPubKey:   pubKey,
-			DNS:         t.cfg.dns,
-			Env:         t.cfg.env,
-			DevTools:    t.cfg.devtools,
-			Egress:      t.cfg.egress,
-			EgressAllow: t.cfg.allow,
+			SSHPubKey:      pubKey,
+			DNS:            t.cfg.dns,
+			Env:            t.cfg.env,
+			EnvForwardKeys: t.cfg.envForwardKeys,
+			DevTools:       t.cfg.devtools,
+			Egress:         t.cfg.egress,
+			EgressAllow:    t.cfg.allow,
 		}
 		if len(steps) > 0 {
 			provOpts.ProvisionScript = provision.Script(steps)

sandbox/truenas/client.go

@@ -93,6 +93,7 @@ type ProvisionOpts struct {
 	SSHPubKey       string
 	DNS             []string          // nameservers (e.g. ["1.1.1.1", "8.8.8.8"])
 	Env             map[string]string // environment variables to inject into /etc/environment
+	EnvForwardKeys  []string          // env var names for sshd AcceptEnv restriction
 	DevTools        bool              // whether to install dev tools (mise, claude-code, codex, opencode)
 	Egress          string            // "unrestricted", "agent", or "allowlist"
 	EgressAllow     []string          // custom domains (merged into agent, standalone for allowlist)
@@ -137,15 +138,21 @@ func (c *Client) Provision(ctx context.Context, name string, opts ProvisionOpts)
 		logf("Wrote DNS config (%d nameservers)", len(opts.DNS))
 	}
 
-	// Configure sshd to accept forwarded env vars via SSH SetEnv.
+	// Configure sshd to accept only the specific forwarded env var names.
 	sshdDropin := rootfs + "/etc/ssh/sshd_config.d/pixels.conf"
+	var sshdContent string
+	if len(opts.EnvForwardKeys) > 0 {
+		sshdContent = "AcceptEnv " + strings.Join(opts.EnvForwardKeys, " ") + "\n"
+	} else {
+		sshdContent = "# No env forwarding configured\n"
+	}
 	if err := c.Filesystem.WriteFile(ctx, sshdDropin, truenas.WriteFileParams{
-		Content: []byte("AcceptEnv *\n"),
+		Content: []byte(sshdContent),
 		Mode:    0o644,
 	}); err != nil {
 		return fmt.Errorf("writing sshd drop-in: %w", err)
 	}
-	logf("Wrote sshd AcceptEnv config")
+	logf("Wrote sshd config")
 
 	// Shell alias for detaching zmx sessions.
 	if err := c.Filesystem.WriteFile(ctx, rootfs+"/etc/profile.d/pixels.sh", truenas.WriteFileParams{