Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
Control: tag -1 patch
On Mon, May 01, 2023 at 03:57:38PM +0100, Richard Lewis wrote:
> Was there an update on this bug against release-notes: the MR against openssh at
> https://salsa.debian.org/ssh-team/openssh/-/merge_requests/21/diffs
> doesnt seem to be merged - has this been parked?
After some of the more recent discussion, I'm persuaded that I should
move up the timeline I proposed, and remove this and document the
removal in the release notes of the same Debian release.
> Based on the text in that MR , but if I i used this feature i would
> want to know:
> - can this prevent me logging in? (eg if i am doing the upgrade over ssh)
> - will it drop my ssh connection (release-notes does iirc advise
> upgrading inside tmux or screen)
> - what do i do if i need the settings in pam-envionment - can i add
> them to ssh_config? (I assume re-enabling a
> deprecated setting is not a good thing to recommend in release-notes)
> (and should i do so before or after upgrading?)
>
>
> The release notes could say something like:
>
> <section>
> <title>ssh no longer reads ~/.pam-environment</title>
> <para>
> The <sysitem role="package">ssh</sysitem> package, which allows
> secure login to remote systems, no longer reads the user's
> <filename>~/.pam_environment</filename> file by default.
> See <link to openssh's NEWS.debian> for details.
> If you used this feature, you should move variables set in
> <filename>~/.pam_environment</filename> file to
> <filename>~/.ssh/ssh_config</filename> before upgrading <!-- or your
> connection might break when openssh-server is upgraded? -->.
> </para>
> </section>
>
> (should there be something about the pam deprecation itself?)
Thanks for this. I've adapted these notes into
https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/204.
(They weren't quite right in some areas: any changes have to be made on
the server, not the client, and the only non-root-accessible sshd
configuration options that are relevant to this such as
~/.ssh/environment are disabled by default, so I just resorted to
suggesting that people move settings to their shell initialization files
instead. It isn't perfect, but I think it's OK to assume that people
who've gone to the effort of setting this can figure something out given
the hint.)
--
Colin Watson (he/him) [cjwatson@debian.org]
Reply to: