Bug#601864: openssh-server: Environment variable defaults in PAM act as overrides

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#601864: openssh-server: Environment variable defaults in PAM act as overrides
From: Martin Mares <mj@ucw.cz>
Date: Sat, 30 Oct 2010 14:02:08 +0200
Message-id: <20101030120208.5100.47567.reportbug@albireo.ucw.cz>
Reply-to: Martin Mares <mj@ucw.cz>, 601864@bugs.debian.org

Package: openssh-server
Version: 1:5.1p1-5
Severity: normal

When I configure PAM (in /etc/security/pam_env.conf) to supply a default value
for an environment variable that can be passed through a SSH connection, the
default always overrides the client's value.

Test case:

	Clear /etc/default/locale
	Append to /etc/security/pam_env.conf: LC_CTYPE DEFAULT="cs_CZ"
	Check that LC_* is listed in AcceptEnv in /etc/ssh/sshd_config
	Connect to the server from a client which has LC_CTYPE=cs_CZ.UTF8 set.

	I expect that the shell on the server will have the client's LC_CTYPE,
	but I got cs_CZ instead.

SSH passes the environment variable correctly (when I comment out the line
in pam_env.conf, LC_CTYPE is correct).

I suspect that the problem lies in interaction between sshd's environment
and PAM's environment. It is likely that sshd does not pass the connection's
environment to PAM env, so pam_env does not see the value supplied by the
client and sets it to the default, but SSH then blindly overwrites the
connection's environment by the PAM's values. [I haven't checked that in the
source, though.]

-- System Information:
Debian Release: 5.0.6
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (x86_64)

Kernel: Linux 2.6.33 (SMP w/4 CPU cores; PREEMPT)
Locale: LANG=C, LC_CTYPE=cs_CZ.ISO-8859-2 (charmap=ISO-8859-2)
Shell: /bin/sh linked to /bin/bash

Versions of packages openssh-server depends on:
ii  adduser         3.110                    add and remove users and groups
ii  debconf [debcon 1.5.24                   Debian configuration management sy
ii  dpkg            1.14.29+b1               Debian package management system
ii  libc6           2.7-18lenny4             GNU C Library: Shared libraries
ii  libcomerr2      1.41.3-1                 common error description library
ii  libkrb53        1.6.dfsg.4~beta1-5lenny4 MIT Kerberos runtime libraries
ii  libpam-modules  1.0.1-5+lenny1           Pluggable Authentication Modules f
ii  libpam-runtime  1.0.1-5+lenny1           Runtime support for the PAM librar
ii  libpam0g        1.0.1-5+lenny1           Pluggable Authentication Modules l
ii  libselinux1     2.0.65-5                 SELinux shared libraries
ii  libssl0.9.8     0.9.8g-15+lenny8         SSL shared libraries
ii  libwrap0        7.6.q-16                 Wietse Venema's TCP wrappers libra
ii  lsb-base        3.2-20                   Linux Standard Base 3.2 init scrip
ii  openssh-blackli 0.4.1                    list of default blacklisted OpenSS
ii  openssh-client  1:5.1p1-5                secure shell client, an rlogin/rsh
ii  procps          1:3.2.7-11               /proc file system utilities
ii  zlib1g          1:1.2.3.3.dfsg-12        compression library - runtime

Versions of packages openssh-server recommends:
pn  openssh-blacklist-extra       <none>     (no description available)
ii  xauth                         1:1.0.3-2  X authentication utility

Versions of packages openssh-server suggests:
pn  molly-guard                  <none>      (no description available)
pn  rssh                         <none>      (no description available)
ii  ssh-askpass                  1:1.2.4.1-7 under X, asks user for a passphras

-- debconf information:
  ssh/vulnerable_host_keys:
  ssh/new_config: true
* ssh/use_old_init_script: true
  ssh/encrypted_host_key_but_no_keygen:
* ssh/disable_cr_auth: false

Reply to:

Prev by Date: Bug#595014: X11Forwarding does not work when net.ipv6.conf.all.disable_ipv6 = 1
Previous by thread: Bug#595014: X11Forwarding does not work when net.ipv6.conf.all.disable_ipv6 = 1
Index(es):
- Date
- Thread