Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
You wanted to "track down an actual reason for this change" ? Try this: CVE-2011-3148 CVE-2011-3149 As summarised by Redhat (https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/6.4_technical_notes/pam): If an application's PAM configuration contained user_readenv=1, a local attacker could use this flaw to cause the application to enter an infinite loop.
Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
Control: clone -1
Control: reassign -2 release-notes
Control: retitle -2 release-notes: document deprecation of .pam_environment
On Sun, Jan 15, 2023 at 04:55:10PM +0300, Michael Tokarev wrote:
> On Sun, 28 Aug 2022 07:58:19 +0200 Francesco Potortì
> wrote:
> > My log is full of these:
> > sshd[4180530]: pam_env(sshd:session): deprecated reading of user
> > environment enabled
>
> This comes from /etc/pam.d/sshd:
> sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale
>
> I'm not sure this is sshd issue or pam issue really: if it is deprecated
> in pam_env, sshd should not be using it, or it should not be deprecated.
>
> Removing user_readenv=1 fixes this.
There's now
https://salsa.debian.org/ssh-team/openssh/-/merge_requests/21 for this,
but as noted there I have documentation concerns about simply removing
this. Copying my comments from there:
This is going to have extensive fallout, the exact nature of which is
hard to predict. So far this deprecation has been the equivalent of
posting a notice in the bottom of a locked filing cabinet stuck in a
disused lavatory with a sign on the door saying "Beware of the
Leopard". The Debian PAM packages don't ship the upstream NEWS file,
and even if they did, the notice there is extremely brief. You can
see a deprecation warning if you read /var/log/auth.log, but who has
time for that unless something is going wrong? Besides, the people who
are most affected will be users who have .pam_environment files in
their home directories, and as far as I can tell nobody has gone to
any particular effort to notify them.
At a bare minimum, this needs an entry in debian/NEWS. But I'd go
further: I think this should be documented in Debian's release notes
(repository at https://salsa.debian.org/ddp-team/release-notes) for a
release before we make this change. That won't inform everyone, but
it should reduce the number of people caught unawares by this. Any
other practical ideas for informing affected users would be welcome.
Also, we need to track down an actual reason for this change.
"Security concerns" is not verbose enough to be convincing on its own.
I found
https://github.com/linux-pam/linux-pam/commit/ecd526743a27157c5210b0ce9867c43a2fa27784,
which is not much better ("Due to problematic security ..."). My best
guess is that upstream got fed up after dealing with things like
https://github.com/linux-pam/linux-pam/issues/263, but I'm really just
guessing, and proper documentation would actually explain this sort of
thing rather than just waving a security flag.
I'm cloning this bug for the release notes, and CCing the PAM maintainer
for comments.
Thanks,
--
Colin Watson (he/him) [cjwat...@debian.org]
Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
On Sun, 28 Aug 2022 07:58:19 +0200 Francesco Potortì wrote: Package: openssh-server Version: 1:9.0p1-1+b1 Severity: minor X-Debbugs-Cc: none, Francesco Potortì File: /usr/sbin/sshd Dear Maintainer, My log is full of these: sshd[4180530]: pam_env(sshd:session): deprecated reading of user environment enabled This comes from /etc/pam.d/sshd: sessionrequired pam_env.so user_readenv=1 envfile=/etc/default/locale I'm not sure this is sshd issue or pam issue really: if it is deprecated in pam_env, sshd should not be using it, or it should not be deprecated. Removing user_readenv=1 fixes this. There are two-four lines per minute This means you have 2-4 logins per minute, which might be quite high. These are real logins, successful, not just login probes from all over the world trying to guess your passwords. /mjt, who is not an openssh package maintainer.
Bug#1018260: openssh-server: fills the log with "deprecated reading of user environment enabled"
Package: openssh-server Version: 1:9.0p1-1+b1 Severity: minor X-Debbugs-Cc: none, Francesco Potortì File: /usr/sbin/sshd Dear Maintainer, My log is full of these: sshd[4180530]: pam_env(sshd:session): deprecated reading of user environment enabled There are two-four lines per minute -- Francesco Potortì (ricercatore)Voice: +39.050.621.3058 ISTI - Area della ricerca CNR Mobile: +39.348.8283.107 via G. Moruzzi 1, I-56124 Pisa Skype: wnlabisti (gate 20, 1st floor, room C71) Web:http://fly.isti.cnr.it -- System Information: Debian Release: bookworm/sid APT prefers testing APT policy: (990, 'testing'), (101, 'unstable') merged-usr: no Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 5.15.0-3-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=C.UTF-8, LC_CTYPE=it_IT.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages openssh-server depends on: ii adduser3.123 ii debconf [debconf-2.0] 1.5.79 ii dpkg 1.21.9 ii init-system-helpers1.64 ii libaudit1 1:3.0.7-1+b1 ii libc6 2.34-4 ii libcom-err21.46.5-2 ii libcrypt1 1:4.4.28-2 ii libgssapi-krb5-2 1.20-1 ii libkrb5-3 1.20-1 ii libpam-modules 1.5.2-2 ii libpam-runtime 1.5.2-2 ii libpam0g 1.5.2-2 ii libselinux13.4-1+b1 ii libssl33.0.5-2 ii libsystemd0251.3-1 ii libwrap0 7.6.q-31 ii lsb-base 11.2 ii openssh-client 1:9.0p1-1+b1 ii openssh-sftp-server1:9.0p1-1+b1 ii procps 2:3.3.17-7+b1 ii runit-helper 2.14.1 ii ucf3.0043 ii zlib1g 1:1.2.11.dfsg-4.1 Versions of packages openssh-server recommends: ii libpam-systemd [logind] 251.3-1 ii ncurses-term 6.3+20220423-2 ii xauth1:1.1.1-1 Versions of packages openssh-server suggests: pn molly-guard pn monkeysphere ii ssh-askpass-gnome [ssh-askpass] 1:9.0p1-1+b1 pn ufw -- debconf information: * ssh/use_old_init_script: true * openssh-server/permit-root-login: false ssh/disable_cr_auth: false ssh/encrypted_host_key_but_no_keygen: ssh/vulnerable_host_keys: openssh-server/password-authentication: true
