Bug#1095800: openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1095800: openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled
From: pyllyukko <pyllyukko@maimed.org>
Date: Wed, 12 Feb 2025 10:15:51 +0200
Message-id: <[🔎] 173934815184.2200653.4798149011122636571.reportbug@pi7.rootforge.net>
Reply-to: pyllyukko <pyllyukko@maimed.org>, 1095800@bugs.debian.org

Package: openssh-server
Version: 1:9.2p1-2+deb12u4
Severity: normal

Dear Maintainer,

Debian's openssh-server and it's PAM configuration in /etc/pam.d/sshd
has deprecated reading of user environment enabled.

PAM_ENV(8) man page tells that "user supplied environment variables in
the PAM environment could affect behavior of subsequent modules in the
stack without the consent of the system administrator.", which sounds
like this could even be a security issue.

Please remove reading of the user environment (user_readenv=1 parameter)
from /etc/pam.d/sshd

-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf

Kernel: Linux 6.6.51+rpt-rpi-2712 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+rpt2+deb12u9
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+rpt2+deb12u1
ii  libpam-runtime             1.5.2-6+rpt2+deb12u1
ii  libpam0g                   1.5.2-6+rpt2+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.15-1~deb12u1+rpt1
ii  libsystemd0                252.33-1~deb12u1
ii  libwrap0                   7.6.q-32
ii  openssh-client             1:9.2p1-2+deb12u4
ii  openssh-sftp-server        1:9.2p1-2+deb12u4
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1+deb12u1
ii  zlib1g                     1:1.2.13.dfsg-1+rpt1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.33-1~deb12u1
ii  ncurses-term             6.4-4
ii  xauth                    1:1.1.2-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- Configuration Files:
/etc/pam.d/sshd changed [not included]
/etc/ssh/moduli changed [not included]

-- debconf-show failed

Reply to:

Follow-Ups:
- Bug#1095800: marked as done (openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Bug#1095686: openssh-server: Restore sshd_config(5) documentation about rdomain
Next by Date: Bug#1095800: marked as done (openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled)
Previous by thread: Bug#1095686: openssh-server: Restore sshd_config(5) documentation about rdomain
Next by thread: Bug#1095800: marked as done (openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled)
Index(es):
- Date
- Thread