Bug#1095800: marked as done (openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Wed, 12 Feb 2025 11:06:02 +0000
with message-id <Z6yAmhwRuxJel4sd@riva.ucam.org>
and subject line Re: Bug#1095800: openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled
has caused the Debian Bug report #1095800,
regarding openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1095800: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1095800
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled
• From: pyllyukko <pyllyukko@maimed.org>
• Date: Wed, 12 Feb 2025 10:15:51 +0200
• Message-id: <[🔎] 173934815184.2200653.4798149011122636571.reportbug@pi7.rootforge.net>

Package: openssh-server
Version: 1:9.2p1-2+deb12u4
Severity: normal

Dear Maintainer,

Debian's openssh-server and it's PAM configuration in /etc/pam.d/sshd
has deprecated reading of user environment enabled.

PAM_ENV(8) man page tells that "user supplied environment variables in
the PAM environment could affect behavior of subsequent modules in the
stack without the consent of the system administrator.", which sounds
like this could even be a security issue.

Please remove reading of the user environment (user_readenv=1 parameter)
from /etc/pam.d/sshd

-- System Information:
Debian Release: 12.9
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: arm64 (aarch64)
Foreign Architectures: armhf

Kernel: Linux 6.6.51+rpt-rpi-2712 (SMP w/4 CPU threads; PREEMPT)
Kernel taint flags: TAINT_CRAP
Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8) (ignored: LC_ALL set to en_US.UTF-8), LANGUAGE=en_US.UTF-8
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages openssh-server depends on:
ii  adduser                    3.134
ii  debconf [debconf-2.0]      1.5.82
ii  init-system-helpers        1.65.2
ii  libaudit1                  1:3.0.9-1
ii  libc6                      2.36-9+rpt2+deb12u9
ii  libcom-err2                1.47.0-2
ii  libcrypt1                  1:4.4.33-2
ii  libgssapi-krb5-2           1.20.1-2+deb12u2
ii  libkrb5-3                  1.20.1-2+deb12u2
ii  libpam-modules             1.5.2-6+rpt2+deb12u1
ii  libpam-runtime             1.5.2-6+rpt2+deb12u1
ii  libpam0g                   1.5.2-6+rpt2+deb12u1
ii  libselinux1                3.4-1+b6
ii  libssl3                    3.0.15-1~deb12u1+rpt1
ii  libsystemd0                252.33-1~deb12u1
ii  libwrap0                   7.6.q-32
ii  openssh-client             1:9.2p1-2+deb12u4
ii  openssh-sftp-server        1:9.2p1-2+deb12u4
ii  procps                     2:4.0.2-3
ii  runit-helper               2.15.2
ii  sysvinit-utils [lsb-base]  3.06-4
ii  ucf                        3.0043+nmu1+deb12u1
ii  zlib1g                     1:1.2.13.dfsg-1+rpt1

Versions of packages openssh-server recommends:
ii  libpam-systemd [logind]  252.33-1~deb12u1
ii  ncurses-term             6.4-4
ii  xauth                    1:1.1.2-1

Versions of packages openssh-server suggests:
pn  molly-guard   <none>
pn  monkeysphere  <none>
pn  ssh-askpass   <none>
pn  ufw           <none>

-- Configuration Files:
/etc/pam.d/sshd changed [not included]
/etc/ssh/moduli changed [not included]

-- debconf-show failed

--- End Message ---

--- Begin Message ---

• To: 1095800-done@bugs.debian.org
• Subject: Re: Bug#1095800: openssh-server: /etc/pam.d/sshd has deprecated reading of user environment enabled
• From: Colin Watson <cjwatson@debian.org>
• Date: Wed, 12 Feb 2025 11:06:02 +0000
• Message-id: <Z6yAmhwRuxJel4sd@riva.ucam.org>
• In-reply-to: <[🔎] 173934815184.2200653.4798149011122636571.reportbug@pi7.rootforge.net>
• References: <[🔎] 173934815184.2200653.4798149011122636571.reportbug@pi7.rootforge.net>

Source: openssh
Source-Version: 1:9.7p1-6

On Wed, Feb 12, 2025 at 10:15:51AM +0200, pyllyukko wrote:
> Debian's openssh-server and it's PAM configuration in /etc/pam.d/sshd
> has deprecated reading of user environment enabled.
> 
> PAM_ENV(8) man page tells that "user supplied environment variables in
> the PAM environment could affect behavior of subsequent modules in the
> stack without the consent of the system administrator.", which sounds
> like this could even be a security issue.
> 
> Please remove reading of the user environment (user_readenv=1 parameter)
> from /etc/pam.d/sshd

This is all true, but I already fixed it for the next Debian release a
while ago:

openssh (1:9.7p1-6) unstable; urgency=medium

  * Stop reading ~/.pam_environment, which has a history of security
    problems and is deprecated by PAM upstream (closes: #1018260).

 -- Colin Watson <cjwatson@debian.org>  Tue, 25 Jun 2024 14:20:44 +0100

I'm not going to backport this particular change to the current stable
release because it potentially requires users to make changes to prepare
for it first.  There's an entry for it in the draft release notes for
the next Debian release here:

  https://www.debian.org/releases/trixie/release-notes/issues.en.html#openssh-server-no-longer-reads-pam-environment

Thanks,

-- 
Colin Watson (he/him)                              [cjwatson@debian.org]

--- End Message ---