[Bug 2059859] Re: pam_env(sshd:session): deprecated reading of user environment enabled
Andreas Hasenack
2059859 at bugs.launchpad.net
Wed Jul 10 13:56:47 UTC 2024
> Is it just the "user_readenv=1" that needs dropped or would the entire
line need to drop?
Just user_readenv=1 needs to go.
Bug LP: #952185 stated that ~/.pam_environment should be read, and the
example they gave was locale settings. It's as if back then, the per-
user locale variables were set via ~/.pam_environment, or so I
understood.
For openssh, the fix back then was two-fold:
a) move pam_env to the end(ish) of session stack, so that if encrypted home directories were used, by then the home directory would be unlocked already. It's now just before pam_selinux, which is the last one, and way after @common-session, which is where the unlocking of the encrypted home directory would occur.
b) add user_readenv=1, which was missing
I just checked in noble, and logging in as a non-admin user, switched my
language settings to english UK. Logged out, then back in, and indeed,
something created ~/.pam_environment. Which tells me other parts of the
system STILL, in 2024, expect that file to be read. Specifically,
something in the desktop (gnome/mutter).
For ssh, that might be irrelevant because at least nowadays we have this
setting in the sshd_config:
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
And this on the ssh_config (client) one:
Host *
(...)
SendEnv LANG LC_*
But even if we can drop user_readenv=1 from sshd's config (and I think
we can), the same cannot be said for other login components of the
system. A quick grep on my mantic desktop shows that gdm is the other
big app that relies on user_readenv=1.
And indeed, logging in on mantic, I get this deprecation warning in the
logs from gdm's usage of pam_env:
2024-07-10T10:54:54.270057-03:00 nsnx2 gdm-launch-environment]: pam_env(gdm-launch-environment:session): deprecated reading of user environment enabled
...
2024-07-10T10:55:05.512619-03:00 nsnx2 gdm-password]: pam_env(gdm-password:session): deprecated reading of user environment enabled
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to openssh in Ubuntu.
https://bugs.launchpad.net/bugs/2059859
Title:
pam_env(sshd:session): deprecated reading of user environment enabled
Status in gdm3 package in Ubuntu:
New
Status in openssh package in Ubuntu:
Triaged
Status in pam package in Ubuntu:
Fix Released
Status in openssh package in Debian:
New
Bug description:
Ubuntu 24.04 / openssh-server/noble-updates 1:9.6p1-3ubuntu3
sshd complains about "deprecated reading of user environment".
This should have been solved upstream, as far as I understand:
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1018106
Enclosed /etc/pam.d/sshd file is amended according to the debian bug
report.
ProblemType: Bug
DistroRelease: Ubuntu 24.04
Package: openssh-server 1:9.6p1-3ubuntu3
ProcVersionSignature: Ubuntu 6.8.0-11.11-generic 6.8.0-rc4
Uname: Linux 6.8.0-11-generic x86_64
ApportVersion: 2.28.0-0ubuntu1
Architecture: amd64
CasperMD5CheckResult: unknown
Date: Sun Mar 31 11:56:25 2024
ProcEnviron:
LANG=de_DE.UTF-8
PATH=(custom, no user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
SourcePackage: openssh
UpgradeStatus: No upgrade log present (probably fresh install)
modified.conffile..etc.init.d.apport: [modified]
mtime.conffile..etc.init.d.apport: 2024-02-22T15:20:00
mtime.conffile..etc.pam.d.sshd: 2024-03-31T11:56:12.949543
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/gdm3/+bug/2059859/+subscriptions
More information about the foundations-bugs
mailing list