summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rw-r--r--debian/NEWS16
-rw-r--r--debian/changelog7
-rw-r--r--debian/openssh-server.sshd.pam.in2
3 files changed, 24 insertions, 1 deletions
diff --git a/debian/NEWS b/debian/NEWS
index 4e3b2ee..79738c6 100644
--- a/debian/NEWS
+++ b/debian/NEWS
@@ -1,3 +1,19 @@
+openssh (1:9.7p1-6) UNRELEASED; urgency=medium
+
+ Debian's PAM configuration for OpenSSH no longer reads the
+ ~/.pam_environment file. The implementation of this in pam_env has a
+ history of security problems and has been deprecated by the upstream
+ Linux-PAM maintainers due to the possibility that "user supplied
+ environment variables in the PAM environment could affect behavior of
+ subsequent modules in the stack without the consent of the system
+ administrator".
+
+ Instead, environment variables need to be set somewhere that will be
+ handled by the session process; for most users, this will be shell
+ initialization files such as ~/.bash_profile or ~/.bashrc.
+
+ -- Colin Watson <cjwatson@debian.org> Thu, 23 May 2024 19:17:29 +0100
+
openssh (1:9.5p1-1) experimental; urgency=medium
OpenSSH 9.5p1 includes a number of changes that may affect existing
diff --git a/debian/changelog b/debian/changelog
index 8c231b5..c02c599 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+openssh (1:9.7p1-6) unstable; urgency=medium
+
+ * Stop reading ~/.pam_environment, which has a history of security
+ problems and is deprecated by PAM upstream (closes: #1018260).
+
+ -- Colin Watson <cjwatson@debian.org> Tue, 25 Jun 2024 14:20:44 +0100
+
openssh (1:9.7p1-5) unstable; urgency=medium
[ Colin Watson ]
diff --git a/debian/openssh-server.sshd.pam.in b/debian/openssh-server.sshd.pam.in
index 2cad67d..adfb8b1 100644
--- a/debian/openssh-server.sshd.pam.in
+++ b/debian/openssh-server.sshd.pam.in
@@ -44,7 +44,7 @@ session required pam_limits.so
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well.
-session required pam_env.so user_readenv=1 envfile=/etc/default/locale
+session required pam_env.so envfile=/etc/default/locale
# SELinux needs to intervene at login time to ensure that the process starts
# in the proper default security context. Only sessions which are intended