Your message dated Wed, 18 Feb 2026 14:34:02 +0000
with message-id <[email protected]>
and subject line Bug#747303: fixed in openssh 1:10.2p1-4
has caused the Debian Bug report #747303,
regarding openssh-server: Please move pam_selinux open call higher in the
session PAM stack
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
747303: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=747303
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: openssh-server
Version: 1:6.6p1-5
Severity: normal
Tags: patch
Hi,
After looking at Fedora/CentOS ssh pam config file and talking with
people upstream[0]
I think that the call to pam_selinux open should be moved higher in the
session stack (just after pam_loginuid and before pam_keyinit to follow
what Fedora is doing).
Note that any new pam modules should be added after this pam_selinux
open call.
Cheers,
Laurent Bigonville
[0] http://marc.info/?l=selinux&m=139940365925225&w=2
-- System Information:
Debian Release: jessie/sid
APT prefers unstable
APT policy: (500, 'unstable'), (1, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.14-1-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.utf8, LC_CTYPE=fr_BE.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
diff -Nru openssh-6.6p1/debian/openssh-server.sshd.pam openssh-6.6p1/debian/openssh-server.sshd.pam
--- openssh-6.6p1/debian/openssh-server.sshd.pam 2014-04-21 22:24:51.000000000 +0200
+++ openssh-6.6p1/debian/openssh-server.sshd.pam 2014-05-07 10:48:31.000000000 +0200
@@ -21,6 +21,11 @@
# Set the loginuid process attribute.
session required pam_loginuid.so
+# SELinux needs to intervene at login time to ensure that the process starts
+# in the proper default security context. Only sessions which are intended
+# to run in the user's context should be run after this.
+session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
+
# Create a new session keyring.
session optional pam_keyinit.so force revoke
@@ -46,10 +51,5 @@
# /etc/default/locale, so read that as well.
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
-# SELinux needs to intervene at login time to ensure that the process starts
-# in the proper default security context. Only sessions which are intended
-# to run in the user's context should be run after this.
-session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
-
# Standard Un*x password updating.
@include common-password
--- End Message ---
--- Begin Message ---
Source: openssh
Source-Version: 1:10.2p1-4
Done: Colin Watson <[email protected]>
We believe that the bug you reported is fixed in the latest version of
openssh, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Colin Watson <[email protected]> (supplier of updated openssh package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 18 Feb 2026 14:09:13 +0000
Source: openssh
Architecture: source
Version: 1:10.2p1-4
Distribution: unstable
Urgency: medium
Maintainer: Debian OpenSSH Maintainers <[email protected]>
Changed-By: Colin Watson <[email protected]>
Closes: 747303 1124970
Changes:
openssh (1:10.2p1-4) unstable; urgency=medium
.
[ Colin Watson ]
* Debconf translations:
- Simplified and Traditional Chinese (thanks, Yangfl; closes: #1124970).
.
[ Luca Boccassi ]
* openssh-client: use sysusers.d instead of manual scripting.
* openssh-client: drop compat postinst not needed since bookworm/noble.
* openssh-client: drop versioned dependency on i-s-h, satisfied since
trixie/noble.
* openssh-client: drop dependency on passwd, add recommends on
openssh-server.
* Use dh-sequence-installsysusers and drop d/rules override.
.
[ Christian Göttsche ]
* Reorder pam_selinux(7) usage (closes: #747303).
Checksums-Sha1:
7f4ce5354d41a511d4d69f61e8026f61a3f5d9f5 3691 openssh_10.2p1-4.dsc
c66e42ec1650e1ea286936462b3998fa72d0c28e 200044 openssh_10.2p1-4.debian.tar.xz
375e15c1fef2d80d4f4238618ab2d4a4961ac882 16391312 openssh_10.2p1-4.git.tar.xz
cc1a087c37707f4580d11b721a3c4ce2041b2240 17300
openssh_10.2p1-4_source.buildinfo
Checksums-Sha256:
40b871857947f3bcbc8abcc4e9af1c32bacaaca4deebbe6872c06b71eb6a5bc0 3691
openssh_10.2p1-4.dsc
0aec1b0bb4dc8646f22a32892af4eebc5a8ba8e77cc8869a99458dcb6ca861db 200044
openssh_10.2p1-4.debian.tar.xz
851ecaae5164031d809ac0da23e3ae99448c9d8c617e0a97be11f7a01a24cf06 16391312
openssh_10.2p1-4.git.tar.xz
15929d57d4cc21a1b0bfc8fb6f2b61dd98916dab285343ef2ec2036a28f3d42d 17300
openssh_10.2p1-4_source.buildinfo
Files:
2113728523525b9cef8af65ef57e8377 3691 net standard openssh_10.2p1-4.dsc
b5200aa07d4228c01670652506024886 200044 net standard
openssh_10.2p1-4.debian.tar.xz
b9d82c66274bb89d977966cf37c9d110 16391312 net standard
openssh_10.2p1-4.git.tar.xz
4d2ff7d9c91bb52c18166c250d25cdd0 17300 net standard
openssh_10.2p1-4_source.buildinfo
Git-Tag-Info: tag=8fa01e053427b52073ec0756c500489bbd3ae1fc
fp=ac0a4ff12611b6fccf01c111393587d97d86500b
Git-Tag-Tagger: Colin Watson <[email protected]>
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEN02M5NuW6cvUwJcqYG0ITkaDwHkFAmmVyIMACgkQYG0ITkaD
wHkkkg//fkp34k7mhJ0RMDOyG91ink2QGKfOkC9WXUGAVghv693qXBqbl497X+qm
FZ1lMZ9YPnH91+Mq3m8iS12B1GIyos850UHnvqiUycZVW7zIqMklDDTyB+l5UfwP
t/0PIuVR+NIz1fFSA3sE/z8JGFJbZ0iV/BUNtP5Qep9watbT2Z/C426PCVikGrLv
sNGNtY8h70EuHOKslhu9SdsOFsorb3KXY5maOT4LuUKEGSD2mjdRDgnCq+xR831b
FDKZ/OEnhKHu3OUfpOejYoirueC7zwbfPUrQjdgRzcnz/0InsaHYw8xpW2N8xroK
/s3mcuNuF5KRr9dkJz3/3+bIbnDC9ReC5nnpGe98SYsc8wlCbBuzpB7SwZ90DTDF
07QaAQZOCJoo2u7AKUfziuVEFwCSdx4QBdeHS4MQLuF6f3cIZ+Tuk+TuWy6AGpkY
jyAPXTQ2aTTcxkrWvQW+OqfP9+7YQZhKSMXpL+hFNEVDh6gzujQh0MOIuctyPWCd
oDPr5AGtMmi1DYLJXZgNA6Z91/LgnLBvQbWzfSg7KPptR+N3Fn1SfsRnw29ivNv0
WnX2qLJyColpOT9XgU54zPgBLF0fEJ17YhgGUfbmjDMgxs4bSIgDU/ZKT+g5JBuD
WVvEszdR114yhg7aO7P9B5yuq2yIdktIj6mVXWF8zdAHJtW40Yk=
=h7Q9
-----END PGP SIGNATURE-----
pgpQTiwteoPqP.pgp
Description: PGP signature
--- End Message ---
