pam_env(sshd:session): deprecated reading of user environment enabled
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
gdm3 (Ubuntu) |
New
|
Undecided
|
Unassigned | ||
openssh (Debian) |
Fix Released
|
Unknown
|
|||
openssh (Ubuntu) |
Fix Released
|
Medium
|
Andreas Hasenack | ||
pam (Ubuntu) |
Fix Released
|
Undecided
|
Andreas Hasenack |
Bug Description
Ubuntu 24.04 / openssh-
sshd complains about "deprecated reading of user environment".
This should have been solved upstream, as far as I understand: https:/
Enclosed /etc/pam.d/sshd file is amended according to the debian bug report.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-server 1:9.6p1-3ubuntu3
ProcVersionSign
Uname: Linux 6.8.0-11-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckR
Date: Sun Mar 31 11:56:25 2024
ProcEnviron:
LANG=de_DE.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-
XDG_RUNTIME_
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
modified.
mtime.conffile.
mtime.conffile.
Related branches
- git-ubuntu bot: Approve
- Bryce Harrington (community): Approve
- Canonical Server Reporter: Pending requested
-
Diff: 66 lines (+38/-1)3 files modifieddebian/NEWS (+26/-0)
debian/changelog (+11/-0)
debian/openssh-server.sshd.pam.in (+1/-1)
- git-ubuntu bot: Approve
- Robie Basak: Approve
- Canonical Server Reporter: Pending requested
-
Diff: 71 lines (+49/-0)3 files modifieddebian/changelog (+7/-0)
debian/patches/pam_env-remove-deprecation-notice-for-user_readenv.patch (+41/-0)
debian/patches/series (+1/-0)
Changed in openssh (Ubuntu): | |
status: | New → Triaged |
importance: | Undecided → Medium |
tags: | added: server-todo |
Changed in openssh (Ubuntu): | |
milestone: | later → ubuntu-24.06 |
assignee: | nobody → Andreas Hasenack (ahasenack) |
Changed in openssh (Debian): | |
status: | Unknown → New |
tags: | removed: server-todo |
Changed in openssh (Debian): | |
status: | New → Fix Released |
Fixing this in noble at this time will require a feature freeze exception, because we would be changing behavior.
The default for user_readenv in pam_env is 0 (off). In the sshd config, ubuntu/debian ship a pam config that sets it to on (1), therefore ~/.pam_environment will be read if it exists.
Upstream has flagged that this feature (of reading user-provided env var files) will be removed in the future, and is thus catching the setting of user_readenv=1 and showing the deprecation notice warning. To get rid of the warning, we have to stop setting user_readenv=1, which will *disable* the feature. Meaning, in noble, if we make this change, ~/.pam_environment (or the file specified by user_envfile) will NOT be read anymore.
Upstream marked this deprecation in version 1.5.0, which means ubuntu Mantic and Noble are affected.
Now is the right time to make this change: mantic had the deprecation notice already, and noble is an LTS.