Bug#1038150: Bug#1038151: Bug#1038150: openssh-client: Please add the openssh-client group rename from "ssh" to "_ssh" to the bookworm release notes
Control: reassign 1038151 openssh-client
On Wed, Jun 18, 2025 at 11:04:05AM +0100, Colin Watson wrote:
> On Wed, Jun 18, 2025 at 10:28:41AM +0100, Simon McVittie wrote:
> > On Fri, 16 Jun 2023 at 02:43:29 +0200, Alban Browaeys wrote:
> > > I cannot login anymore via ssh.
> > > I have the openemediavault installed on this box to manage the setup and
> > > it set AllowGroups to "root ssh" in /etc/ssh/sshd_config.
> > ...
> > > After the request from a user to rename the "ssh" group to free it for its
> > > own use, the "ssh" group was rename to "_ssh" in
> > > https://salsa.debian.org/ssh-team/openssh/-/commit/18da782ebe789d0cf107a550e474ba6352e68911
> > >
> > > But other users as in
> > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990456#35 or tools to
> > > manage Debian have come to rely on this "ssh" group.
> >
> > I believe the openssh maintainers' position on this would be that the
> > ssh group was never intended to have ordinary users added to it, and
> > therefore this would be a bug in "openemediavault", which seems to be
> > third-party software that is not included in Debian?
>
> This is correct. I 100% intended the group to be for internal use only.
>
> I agree with the sentiment of this bug that it perhaps would have been worth
> documenting in the release notes, but I didn't have time; and since
> bookworm's release is now receding in the rear-view mirror, perhaps this has
> been overtaken by events? It's probably still worth documenting somewhere,
> although as you say:
>
> > Unfortunately, /etc/group doesn't have a mechanism for pointing to
> > documentation about the intended purpose of a group, so it's easy for a
> > sysadmin or a piece of third-party software to start using a group for
> > an unintended purpose, and I think that's what has happened here.
>
> ... so I don't know exactly where.
I agree it should not be in trixie's release notes. As this is now
mostly an openssh "issue", I'm reassigning it.
Maybe it should be in openssh-client's README.Debian?
Chris
Reply to: