Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"

To: Richard Lewis <richard.lewis.debian@googlemail.com>, 1030119@bugs.debian.org
Subject: Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
From: Colin Watson <cjwatson@debian.org>
Date: Thu, 23 May 2024 19:15:06 +0100
Message-id: <[🔎] Zk-HqrKOjszdf2wF@riva.ucam.org>
Reply-to: Colin Watson <cjwatson@debian.org>, 1030119@bugs.debian.org
In-reply-to: <CAJ3BuoQa_SfhLkxrqEOP+bHjA1=recuerdTYqhBpYWso-_=24g@mail.gmail.com>
References: <E1oSBJL-001CjL-2q@tucano.isti.cnr.it> <CAJ3BuoQa_SfhLkxrqEOP+bHjA1=recuerdTYqhBpYWso-_=24g@mail.gmail.com> <E1oSBJL-001CjL-2q@tucano.isti.cnr.it>

Control: tag -1 patch

On Mon, May 01, 2023 at 03:57:38PM +0100, Richard Lewis wrote:
> Was there an update on this bug against release-notes: the MR against openssh at
> https://salsa.debian.org/ssh-team/openssh/-/merge_requests/21/diffs
> doesnt seem to be merged - has this been parked?

After some of the more recent discussion, I'm persuaded that I should
move up the timeline I proposed, and remove this and document the
removal in the release notes of the same Debian release.

> Based on the text in that MR , but if I i used this feature i would
> want to know:
> - can this prevent me logging in? (eg if i am doing the upgrade over ssh)
> - will it drop my ssh connection (release-notes does iirc advise
> upgrading inside tmux or screen)
> - what do i do if i need the settings in pam-envionment - can i add
> them to ssh_config? (I assume re-enabling a
>  deprecated setting is not a good thing to recommend in release-notes)
> (and should i do so before or after upgrading?)
> 
> 
> The release notes could say something like:
> 
> <section>
> <title>ssh no longer reads ~/.pam-environment</title>
> <para>
>   The <sysitem role="package">ssh</sysitem> package, which allows
> secure login to remote systems, no longer reads the user's
> <filename>~/.pam_environment</filename> file by default.
>   See <link to openssh's NEWS.debian> for details.
>   If you used this feature, you should move variables set in
> <filename>~/.pam_environment</filename> file to
> <filename>~/.ssh/ssh_config</filename> before upgrading <!-- or your
> connection might break when openssh-server is upgraded? -->.
> </para>
> </section>
> 
> (should there be something about the pam deprecation itself?)

Thanks for this.  I've adapted these notes into
https://salsa.debian.org/ddp-team/release-notes/-/merge_requests/204.
(They weren't quite right in some areas: any changes have to be made on
the server, not the client, and the only non-root-accessible sshd
configuration options that are relevant to this such as
~/.ssh/environment are disabled by default, so I just resorted to
suggesting that people move settings to their shell initialization files
instead.  It isn't perfect, but I think it's OK to assume that people
who've gone to the effort of setting this can figure something out given
the hint.)

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

Reply to:

Prev by Date: Processed: Re: Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
Next by Date: Processed: retitle 1070482
Previous by thread: Bug#1071506: release-notes: wireplumber NEWS mentions "no automatic conversion"
Next by thread: Processed: Re: Bug#1030119: Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
Index(es):
- Date
- Thread