On Wed, Jun 18, 2025 at 10:28:41AM +0100, Simon McVittie wrote:
On Fri, 16 Jun 2023 at 02:43:29 +0200, Alban Browaeys wrote:
I cannot login anymore via ssh.
I have the openemediavault installed on this box to manage the setup and
it set AllowGroups to "root ssh" in /etc/ssh/sshd_config.
...
After the request from a user to rename the "ssh" group to free it for its
own use, the "ssh" group was rename to "_ssh" in
https://salsa.debian.org/ssh-team/openssh/-/commit/18da782ebe789d0cf107a550e474ba6352e68911
But other users as in
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=990456#35 or tools to
manage Debian have come to rely on this "ssh" group.
I believe the openssh maintainers' position on this would be that the
ssh group was never intended to have ordinary users added to it, and
therefore this would be a bug in "openemediavault", which seems to be
third-party software that is not included in Debian?
This is correct. I 100% intended the group to be for internal use only.
I agree with the sentiment of this bug that it perhaps would have been
worth documenting in the release notes, but I didn't have time; and
since bookworm's release is now receding in the rear-view mirror,
perhaps this has been overtaken by events? It's probably still worth
documenting somewhere, although as you say:
Unfortunately, /etc/group doesn't have a mechanism for pointing to
documentation about the intended purpose of a group, so it's easy for
a sysadmin or a piece of third-party software to start using a group
for an unintended purpose, and I think that's what has happened here.
... so I don't know exactly where.
--
Colin Watson (he/him) [cjwat...@debian.org]
