Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"

To: 1030119@bugs.debian.org
Subject: Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
From: Richard Lewis <richard.lewis.debian@googlemail.com>
Date: Mon, 1 May 2023 15:57:38 +0100
Message-id: <[🔎] CAJ3BuoQa_SfhLkxrqEOP+bHjA1=recuerdTYqhBpYWso-_=24g@mail.gmail.com>
Reply-to: Richard Lewis <richard.lewis.debian@googlemail.com>, 1030119@bugs.debian.org
References: <E1oSBJL-001CjL-2q@tucano.isti.cnr.it>

On Tue, 31 Jan 2023 10:52:54 +0000 Colin Watson <cjwatson@debian.org> wrote:

> There's now
> https://salsa.debian.org/ssh-team/openssh/-/merge_requests/21 for this,
> but as noted there I have documentation concerns about simply removing
> this.  Copying my comments from there:

>   At a bare minimum, this needs an entry in debian/NEWS.  But I'd go
>   further: I think this should be documented in Debian's release notes
>   (repository at https://salsa.debian.org/ddp-team/release-notes) for a
>   release before we make this change.  That won't inform everyone, but
>   it should reduce the number of people caught unawares by this.  Any
>   other practical ideas for informing affected users would be welcome.
>

Was there an update on this bug against release-notes: the MR against openssh at
https://salsa.debian.org/ssh-team/openssh/-/merge_requests/21/diffs
doesnt seem to be merged - has this been parked?

Based on the text in that MR , but if I i used this feature i would
want to know:
- can this prevent me logging in? (eg if i am doing the upgrade over ssh)
- will it drop my ssh connection (release-notes does iirc advise
upgrading inside tmux or screen)
- what do i do if i need the settings in pam-envionment - can i add
them to ssh_config? (I assume re-enabling a
 deprecated setting is not a good thing to recommend in release-notes)
(and should i do so before or after upgrading?)

The release notes could say something like:

<section>
<title>ssh no longer reads ~/.pam-environment</title>
<para>
  The <sysitem role="package">ssh</sysitem> package, which allows
secure login to remote systems, no longer reads the user's
<filename>~/.pam_environment</filename> file by default.
  See <link to openssh's NEWS.debian> for details.
  If you used this feature, you should move variables set in
<filename>~/.pam_environment</filename> file to
<filename>~/.ssh/ssh_config</filename> before upgrading .
</para>
</section>

(should there be something about the pam deprecation itself?)

Reply to:

Follow-Ups:
- Bug#1030119: release-notes: openssh-server: fills the log with "deprecated reading of user environment enabled"
  - From: Paul Gevers <elbrus@debian.org>

Prev by Date: Bug#1012174: Inconsistent advice wrt security archive
Next by Date: ddp build failed
Previous by thread: Bug#1012174: Inconsistent advice wrt security archive
Next by thread: Bug#1030119: release-notes: openssh-server: fills the log with "deprecated reading of user environment enabled"
Index(es):
- Date
- Thread