[Bug 920749] Re: pam configuration for SSH prevents LANG override
** Tags added: manpage -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
Can we at least get a documentation fix on this 5 year old bug? The ssh_config and sshd_config man pages, as well as the comments in those configuration files specifically call out that the LANG and LC_* environment variables are configured to be passed from client to server, and they are so configured. However, on a default install this will not actually happen. The documentation should be changed to reflect the fact that while the environmental variables will be passed, PAM will override the user preferences with the system defaults. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
** Changed in: openssh (Ubuntu) Importance: Undecided = Medium -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
Just commenting it out would also be wrong - there's extensive discussion in the upstream bug I linked. ** Bug watch added: OpenSSH Portable Bugzilla #1346 https://bugzilla.mindrot.org/show_bug.cgi?id=1346 ** Also affects: openssh via https://bugzilla.mindrot.org/show_bug.cgi?id=1346 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
** Bug watch added: Debian Bug tracker #313317 http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313317 ** Also affects: openssh (Debian) via http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=313317 Importance: Unknown Status: Unknown ** Changed in: openssh (Ubuntu) Status: New = Triaged ** Changed in: openssh (Ubuntu) Milestone: precise-alpha-2 = None -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
Launchpad has imported 38 comments from the remote bug at https://bugzilla.mindrot.org/show_bug.cgi?id=1346. If you reply to an imported comment from within Launchpad, your comment will be sent to the remote bug automatically. Read more about Launchpad's inter-bugtracker facilities at https://help.launchpad.net/InterBugTracking. On 2007-07-29T14:56:49+00:00 Jean-Christophe Dubacq wrote: Created attachment 1332 client-sent environment overrides PAM-read environment This bug has been reported and discussed in the Debian BTS, see bugs #313317 and #408029 there. The environment variables sent by AcceptEnv/SendEnv functionalities should take precedence over PAM variable settings, especially for locale and terminal related settings (or commands that are locale-sensitive or terminal sensitive might give incomprehensible gibberish as output to the user). TERM is already managed in a special way, but not LANG or LC_* variables. Currently, the variables LANG and LC_* are set (in a default debian installation) by pam (/etc/pamd.d/ssh) which in turn reads /etc/environment and /etc/default/locale. It happens dans in session.c (function do_child) the environment of the child process is set as follows: first, copy the environment set by AcceptEnv/SendEnv, set some more variables (TERM, TZ, depending on the system), then use pam and copy the PAM environment inside the child environment, thus clobbering the useful variables sent through AcceptEnv/SendEnv. Note that there is no way it could be fixed at the PAM level: PAM prepares the environment for the child not knowing the sent variables. It is openssh-server that does the things in the wrong order. What the patch does: it changes the child_set_env function in copy_environment to child_set_env_safe (basically the same as child_set_env but with a twist): any variable which has already been inserted in the environment is not clobbered by copy_environment. Since the function copy_environment is the one used to bring the PAM settings inside the environment, the PAM settings no more clobber the environment sent by the AcceptEnv/SendEnv mechanism. Which yields (from a client with LANG unset, and to a server with LANG=fr_FR.UTF-8 in /etc/default/locale) $ ssh penpen 'echo $LANG $(locale charmap)' fr_FR.UTF-8 UTF-8 $ LANG=en_GB.UTF-8 ssh penpen 'echo $LANG $(locale charmap)' en_GB.UTF-8 UTF-8 $ LANG=fr_FR@euro ssh penpen 'echo $LANG $(locale charmap)' fr_FR@euro ISO-8859-15 $ LANG=fr_FR ssh penpen 'echo $LANG $(locale charmap)' fr_FR ISO-8859-1 Since the current behaviour is to enforce the admin-set values, and thus rendering the AcceptEnv/SendEnv almost useless, since critical variables set in the environment can be enforced by the administrator by refusing to accept them (in /etc/ssh/sshd_config) and since the default-accepted environment variables are only limited to locale-related variables and a default debian installation does not allow those variables to be used (the locales package always sets LANG in /etc/default/locale), I think this patch is worth being included in openssh-server. I also think it free of security holes or memory leaks. I think it is worth being transmitted upstream. I think some consideration should be given about whether the no clobber behaviour should be the default one (child_set_env is used several times in session.c and some should probably consider using child_set_env_safe with the same rationale), but it is part of a more general reflexion on this and does not interfere in any way with these two bugs. Reply at: https://bugs.launchpad.net/openssh/+bug/920749/comments/0 On 2008-01-20T00:43:37+00:00 Djm wrote: Why is PAM setting these variables? Wouldn't it be better to make PAM not set things that you do not want overridden? It isn't totally obvious why env vars from PAM should not get precedence, as we generally treat SendEnv strings as the lowest priority. Reply at: https://bugs.launchpad.net/openssh/+bug/920749/comments/1 On 2008-01-21T09:08:03+00:00 Jean-Christophe Dubacq wrote: A sysadmin, in a non-English speaking country, should set default values (especially for locale related environment values). The natural way to set these is through PAM (works across many shells). I also implemented a no-clobber pam environment setting, but it will not work for ssh AcceptEnv/SendEnv because (IIRC) the environment passed to pam for initialisation is empty - it does not contain pre-set variables with the ssh AcceptEnv/SendEnv variables set. This solution implies to change 2 major components of a Unix system (openssh + PAM) instead of only one (openssh). I also do not see how being conservative (putting AcceptEnv on low priority) is helpful, especially in the case of locales; if I remotely log into a japanese system, I
[Bug 920749] Re: pam configuration for SSH prevents LANG override
** Changed in: openssh (Debian) Status: Unknown = Confirmed -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs
[Bug 920749] Re: pam configuration for SSH prevents LANG override
** Description changed: The default /etc/pam.d/sshd configuration has: # Read environment variables from /etc/environment and # /etc/security/pam_env.conf. #auth required pam_env.so # [1] # In Debian 4.0 (etch), locale-related environment variables were moved to # /etc/default/locale, so read that as well. auth required pam_env.so envfile=/etc/default/locale The default SSH client configuration has Send LC_* and the default SSH - server configuration has Accept LC_*. This prevent any user locale - settings from being sent via SSH. + server configuration has Accept LC_*. The PAM configuration prevents + any user-overrides for locale settings. For example, if /etc/default/locale has: LANG=en_US.UTF-8 LC_COLLATE=C Then running LANG=zh_SG.utf8 LC_COLLATE=en_US.UTF-8 ssh myspecialhost.foo.bar.com yields: ubuntu@ip-10-12-15-243:~$ locale LANG=en_US.UTF-8 LC_COLLATE=C (output truncated for clarity) While having a blank /etc/default/locale yeilds: ubuntu@ip-10-12-15-243:~$ locale locale: Cannot set LC_ALL to default locale: No such file or directory LANG=zh_SG.utf8 LC_COLLATE=en_US.UTF-8 (output truncated for clarity) I think, although I am not sure, that this is a bug with the default configuration. It means that in order for server to accept multple languages or LC_* bindings, the system locale default would have to be unset. Effectively this is forcing the system default on all users. -- You received this bug notification because you are a member of Ubuntu Server Team, which is subscribed to openssh in Ubuntu. https://bugs.launchpad.net/bugs/920749 Title: pam configuration for SSH prevents LANG override To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/920749/+subscriptions -- Ubuntu-server-bugs mailing list Ubuntu-server-bugs@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-server-bugs