diff options
-rw-r--r-- | debian/NEWS | 16 | ||||
-rw-r--r-- | debian/changelog | 7 | ||||
-rw-r--r-- | debian/openssh-server.sshd.pam.in | 2 |
3 files changed, 24 insertions, 1 deletions
diff --git a/debian/NEWS b/debian/NEWS index 4e3b2ee..79738c6 100644 --- a/debian/NEWS +++ b/debian/NEWS @@ -1,3 +1,19 @@ +openssh (1:9.7p1-6) UNRELEASED; urgency=medium + + Debian's PAM configuration for OpenSSH no longer reads the + ~/.pam_environment file. The implementation of this in pam_env has a + history of security problems and has been deprecated by the upstream + Linux-PAM maintainers due to the possibility that "user supplied + environment variables in the PAM environment could affect behavior of + subsequent modules in the stack without the consent of the system + administrator". + + Instead, environment variables need to be set somewhere that will be + handled by the session process; for most users, this will be shell + initialization files such as ~/.bash_profile or ~/.bashrc. + + -- Colin Watson <cjwatson@debian.org> Thu, 23 May 2024 19:17:29 +0100 + openssh (1:9.5p1-1) experimental; urgency=medium OpenSSH 9.5p1 includes a number of changes that may affect existing diff --git a/debian/changelog b/debian/changelog index 8c231b5..c02c599 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +openssh (1:9.7p1-6) unstable; urgency=medium + + * Stop reading ~/.pam_environment, which has a history of security + problems and is deprecated by PAM upstream (closes: #1018260). + + -- Colin Watson <cjwatson@debian.org> Tue, 25 Jun 2024 14:20:44 +0100 + openssh (1:9.7p1-5) unstable; urgency=medium [ Colin Watson ] diff --git a/debian/openssh-server.sshd.pam.in b/debian/openssh-server.sshd.pam.in index 2cad67d..adfb8b1 100644 --- a/debian/openssh-server.sshd.pam.in +++ b/debian/openssh-server.sshd.pam.in @@ -44,7 +44,7 @@ session required pam_limits.so session required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. -session required pam_env.so user_readenv=1 envfile=/etc/default/locale +session required pam_env.so envfile=/etc/default/locale # SELinux needs to intervene at login time to ensure that the process starts # in the proper default security context. Only sessions which are intended |