Bug#532754: marked as done (sshd should not setup MAIL environment variable)
Your message dated Mon, 08 Jul 2019 16:49:16 +0000
with message-id <E1hkWpIfirstname.lastname@example.org>
and subject line Bug#532754: fixed in openssh 1:8.0p1-3
has caused the Debian Bug report #532754,
regarding sshd should not setup MAIL environment variable
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact email@example.com
Debian Bug Tracking System
Contact firstname.lastname@example.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <email@example.com>
- Subject: sshd should not setup MAIL environment variable
- From: Alexander Gerasiov <firstname.lastname@example.org>
- Date: Thu, 11 Jun 2009 14:27:55 +0400
- Message-id: <email@example.com>
For now in session.c there is
child_set_env(&env, &envsize, "MAIL", buf);
That is not good, I believe, because it set MAIL to some hardcoder value (/var/mail/<username>).
Sure, you could override it with pam_mail or pam_env. But I spent 10 minutes to find who set this variable.
May be it would be better not to set it from session.c, but remove "noenv" from pam_mail line in /etc/pam.d/ssh,
because pam_mail could export this variable itself.
It would be much more clear if administrator had to specify this variable itself in pam configs, than is
it hardcoded somewhere.
To provide compatibility with old behavior, just remove "noenv" from pam_mail conf in pam.d/sshd and pam_mail will
set this variable to /var/mail/<username> itself.
-- System Information:
Debian Release: 5.0.1
APT prefers proposed-updates
APT policy: (670, 'proposed-updates'), (670, 'stable'), (620, 'testing-proposed-updates'), (620, 'testing'), (600, 'unstable'), (550, 'experimental')
Architecture: i386 (i686)
Kernel: Linux 2.6.26-2-openvz-686 (SMP w/1 CPU core)
Locale: LANG=ru_RU.UTF-8, LC_CTYPE=ru_RU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Versions of packages openssh-server depends on:
ii adduser 3.110 add and remove users and groups
ii debconf [debcon 1.5.24 Debian configuration management sy
ii dpkg 1.14.25 Debian package management system
ii libc6 2.7-18 GNU C Library: Shared libraries
ii libcomerr2 1.41.3-1 common error description library
ii libkrb53 1.6.dfsg.4~beta1-5lenny1 MIT Kerberos runtime libraries
ii libpam-modules 1.0.1-5+lenny1 Pluggable Authentication Modules f
ii libpam-runtime 1.0.1-5+lenny1 Runtime support for the PAM librar
ii libpam0g 1.0.1-5+lenny1 Pluggable Authentication Modules l
ii libselinux1 2.0.65-5 SELinux shared libraries
ii libssl0.9.8 0.9.8g-15+lenny1 SSL shared libraries
ii libwrap0 7.6.q-16 Wietse Venema's TCP wrappers libra
ii lsb-base 3.2-20 Linux Standard Base 3.2 init scrip
ii openssh-blackli 0.4.1 list of default blacklisted OpenSS
ii openssh-client 1:5.1p1-5 secure shell client, an rlogin/rsh
ii procps 1:3.2.7-11 /proc file system utilities
ii zlib1g 1:126.96.36.199.dfsg-12 compression library - runtime
Versions of packages openssh-server recommends:
ii openssh-blacklist-extra 0.4.1 list of non-default blacklisted Op
ii xauth 1:1.0.3-2 X authentication utility
Versions of packages openssh-server suggests:
pn molly-guard <none> (no description available)
pn rssh <none> (no description available)
pn ssh-askpass <none> (no description available)
-- debconf information:
* ssh/use_old_init_script: true
* ssh/disable_cr_auth: false
--- End Message ---
--- Begin Message ---
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to firstname.lastname@example.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
Colin Watson <email@example.com> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing firstname.lastname@example.org)
-----BEGIN PGP SIGNED MESSAGE-----
Date: Mon, 08 Jul 2019 17:19:37 +0100
Maintainer: Debian OpenSSH Maintainers <email@example.com>
Changed-By: Colin Watson <firstname.lastname@example.org>
Closes: 189920 374980 532754 927792
openssh (1:8.0p1-3) unstable; urgency=medium
* Upload to unstable.
openssh (1:8.0p1-2) experimental; urgency=medium
* Fix interop tests for recent regress changes.
openssh (1:8.0p1-1) experimental; urgency=medium
* New upstream release (https://www.openssh.com/txt/release-8.0, closes:
- ssh(1), ssh-agent(1), ssh-add(1): Add support for ECDSA keys in
PKCS#11 tokens (LP: #1665695).
- ssh(1), sshd(8): Add experimental quantum-computing resistant key
exchange method, based on a combination of Streamlined NTRU Prime
4591^761 and X25519.
- ssh-keygen(1): Increase the default RSA key size to 3072 bits,
following NIST Special Publication 800-57's guidance for a 128-bit
equivalent symmetric security level (LP: #1445625).
- ssh(1): Allow "PKCS11Provider=none" to override later instances of the
PKCS11Provider directive in ssh_config.
- sshd(8): Add a log message for situations where a connection is
dropped for attempting to run a command but a sshd_config
ForceCommand=internal-sftp restriction is in effect.
- ssh(1): When prompting whether to record a new host key, accept the
key fingerprint as a synonym for "yes". This allows the user to paste
a fingerprint obtained out of band at the prompt and have the client
do the comparison for you.
- ssh-keygen(1): When signing multiple certificates on a single
command-line invocation, allow automatically incrementing the
certificate serial number.
- scp(1), sftp(1): Accept -J option as an alias to ProxyJump on the scp
and sftp command-lines.
- ssh-agent(1), ssh-pkcs11-helper(8), ssh-add(1): Accept "-v"
command-line flags to increase the verbosity of output; pass verbose
flags though to subprocesses, such as ssh-pkcs11-helper started from
- ssh-add(1): Add a "-T" option to allowing testing whether keys in an
agent are usable by performing a signature and a verification.
- sftp-server(8): Add a "email@example.com" protocol extension that
replicates the functionality of the existing SSH2_FXP_SETSTAT
operation but does not follow symlinks.
- sftp(1): Add "-h" flag to chown/chgrp/chmod commands to request they
do not follow symlinks.
- sshd(8): Expose $SSH_CONNECTION in the PAM environment. This makes
the connection 4-tuple available to PAM modules that wish to use it in
- sshd(8): Add a ssh_config "Match final" predicate. Matches in same
pass as "Match canonical" but doesn't require hostname
canonicalisation be enabled.
- sftp(1): Support a prefix of '@' to suppress echo of sftp batch
- ssh-keygen(1): When printing certificate contents using "ssh-keygen
-Lf /path/certificate", include the algorithm that the CA used to sign
- sshd(8): Fix authentication failures when sshd_config contains
"AuthenticationMethods any" inside a Match block that overrides a more
- sshd(8): Avoid sending duplicate keepalives when ClientAliveCount is
- sshd(8): Fix two race conditions related to SIGHUP daemon restart.
Remnant file descriptors in recently-forked child processes could
block the parent sshd's attempt to listen(2) to the configured
addresses. Also, the restarting parent sshd could exit before any
child processes that were awaiting their re-execution state had
completed reading it, leaving them in a fallback path.
- ssh(1): Fix stdout potentially being redirected to /dev/null when
ProxyCommand=- was in use.
- sshd(8): Avoid sending SIGPIPE to child processes if they attempt to
write to stderr after their parent processes have exited.
- ssh(1): Fix bad interaction between the ssh_config ConnectTimeout and
ConnectionAttempts directives - connection attempts after the first
were ignoring the requested timeout (LP: #1798049).
- ssh-keyscan(1): Return a non-zero exit status if no keys were found
(closes: #374980, LP: #1661745).
- scp(1): Sanitize scp filenames to allow UTF-8 characters without
terminal control sequences.
- sshd(8): Fix confusion between ClientAliveInterval and time-based
RekeyLimit that could cause connections to be incorrectly closed.
- ssh(1), ssh-add(1): Correct some bugs in PKCS#11 token PIN handling at
initial token login. The attempt to read the PIN could be skipped in
some cases, particularly on devices with integrated PIN readers. This
would lead to an inability to retrieve keys from these tokens.
- ssh(1), ssh-add(1): Support keys on PKCS#11 tokens that set the
CKA_ALWAYS_AUTHENTICATE flag by requring a fresh login after the
- ssh(1): Improve documentation for ProxyJump/-J, clarifying that local
configuration does not apply to jump hosts.
- ssh-keygen(1): Clarify manual - ssh-keygen -e only writes public keys,
- ssh(1), sshd(8): be more strict in processing protocol banners,
allowing \r characters only immediately before \n.
- Various: fix a number of memory leaks.
- scp(1), sftp(1): fix calculation of initial bandwidth limits. Account
for bytes written before the timer starts and adjust the schedule on
which recalculations are performed. Avoids an initial burst of
traffic and yields more accurate bandwidth limits.
- sshd(8): Only consider the ext-info-c extension during the initial key
eschange. It shouldn't be sent in subsequent ones, but if it is
present we should ignore it. This prevents sshd from sending a
SSH_MSG_EXT_INFO for REKEX for these buggy clients.
- ssh-keygen(1): Clarify manual that ssh-keygen -F (find host in
authorized_keys) and -R (remove host from authorized_keys) options may
accept either a bare hostname or a [hostname]:port combo.
- ssh(1): Don't attempt to connect to empty SSH_AUTH_SOCK.
- sshd(8): Silence error messages when sshd fails to load some of the
default host keys. Failure to load an explicitly-configured hostkey
is still an error, and failure to load any host key is still fatal.
- ssh(1): Redirect stderr of ProxyCommands to /dev/null when ssh is
started with ControlPersist; prevents random ProxyCommand output from
interfering with session output.
- ssh(1): The ssh client was keeping a redundant ssh-agent socket
(leftover from authentication) around for the life of the connection.
- sshd(8): Fix bug in HostbasedAcceptedKeyTypes and
PubkeyAcceptedKeyTypes options. If only RSA-SHA2 signature types were
specified, then authentication would always fail for RSA keys as the
monitor checks only the base key (not the signature algorithm) type
- ssh(1): Request correct signature types from ssh-agent when
certificate keys and RSA-SHA2 signatures are in use.
- sshd(8): Don't set $MAIL if UsePAM=yes as PAM typically specifies the
user environment if it's enabled (closes: #189920, #532754).
* Mostly resynced GSSAPI key exchange patch with Fedora. Major changes:
- Support selection of GSSAPI key exchange algorithms.
- Support GSSAPI key exchange methods with DH and SHA2.
- Support GSSAPI key exchange using ECDH and SHA2.
- Make sure the Kerberos tickets are cleaned up with the user context.
- Enable gssapi-keyex authentication without gssapi-with-mic.
- Allow querying for GSSAPI key exchange algorithms from ssh (-Q
* Apply upstream patch to fix the utimensat regression tests when not
using the compatibility implementation.
14036aa8fc98107e51086b5f50a97c397b7e9e69 3276 openssh_8.0p1-3.dsc
0fc865a1c75e164a362549a68e872faf58d0c1c2 171024 openssh_8.0p1-3.debian.tar.xz
77065cc948b4984a828a16173bfb8f085f6d7afaed936652a31257aa32bc4887 3276 openssh_8.0p1-3.dsc
7e1f34adbc3d75847edc5f9ce11a7a9f8257c8926f00545cc188bd6433214fe5 171024 openssh_8.0p1-3.debian.tar.xz
dc309d7f172333965b52cf10c94102f0 3276 net standard openssh_8.0p1-3.dsc
52e90cfce82725c5e79bdea9513040ca 171024 net standard openssh_8.0p1-3.debian.tar.xz
-----BEGIN PGP SIGNATURE-----
-----END PGP SIGNATURE-----
--- End Message ---