Bug#765633: Bug#780797: openssh-server: modifies the user configuration

On 2015-03-23 01:09:33 +0100, Christoph Anton Mitterer wrote: > Maybe I've missed that since the discussion got quite long, but I don't > remember that Vincent actually explained what broke (i.e. I know nothing > that would use LC_CHARMAP or CODPAGE?)... and the others rather just > complained abou

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-22 04:23:33 +0100, Christoph Anton Mitterer wrote: > On Sun, 2015-03-22 at 03:00 +0100, Vincent Lefevre wrote: > > Bad example. The Firefox profile is not a config file. > Why not? it contains all my about:config settings, my bookmarks, etc. It contains more than things related to conf

Bug#765633: Bug#780797: openssh-server: modifies the user configuration

On Mon, 2015-03-23 at 10:17 +, Colin Watson wrote: > I disagree with this characterisation. Well I guess we won't come to an agreement here. I've had a short glance over the discussion that the IETF WG and upstream had about the bug you've mentioned, and it seems that both seemed to think the

Bug#765633: Bug#780797: openssh-server: modifies the user configuration

On Mon, Mar 23, 2015 at 01:09:33AM +0100, Christoph Anton Mitterer wrote: > On Sun, 2015-03-22 at 23:18 +, Colin Watson wrote: > > Control: tag 765633 wontfix > Ah it's really a shame... not that the issue is particularly critical, > but it shows a general problem within Debian why we have so

Bug#765633: Bug#780797: openssh-server: modifies the user configuration

On Sun, 2015-03-22 at 23:18 +, Colin Watson wrote: > Control: tag 765633 wontfix Ah it's really a shame... not that the issue is particularly critical, but it shows a general problem within Debian why we have so many fields where no progress is made - and if it it's made some people must just

Bug#780797: openssh-server: modifies the user configuration

Control: tag 765633 wontfix Control: tag 780797 pending On Sat, Mar 21, 2015 at 11:13:54AM +0100, Vincent Lefevre wrote: > On 2015-03-21 07:12:08 +0100, Christoph Anton Mitterer wrote: > > On Sat, 2015-03-21 at 00:51 -0400, Chris Knadle wrote: > > > § 10.7.3 Behavior > > > Configuration

Bug#780797: openssh-server: modifies the user configuration

On Sun, 2015-03-22 at 03:00 +0100, Vincent Lefevre wrote: > Bad example. The Firefox profile is not a config file. Why not? it contains all my about:config settings, my bookmarks, etc. It contains my enabled/disabled CA certificates (so it's actually even quite security relevant, and every releas

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-21 20:33:59 +0100, Christoph Anton Mitterer wrote: > On Sat, 2015-03-21 at 11:13 +0100, Vincent Lefevre wrote: > > The configuration consists of a full file, and the choice for some > > option may depend on others. > That way you could *never* change anything nor upgrade systems. > Get

Bug#780797: openssh-server: modifies the user configuration

On 03/21/2015 03:33 PM, Christoph Anton Mitterer wrote: [...] > Get a new firefox version, and the whole binary blob profile may > completely be upgraded, old algos disabled etc. pp. > >> So, as soon as the file is modified, it must be considered that >> the configuration has been chosen by the ad

Bug#780797: openssh-server: modifies the user configuration

On Sat, 2015-03-21 at 11:13 +0100, Vincent Lefevre wrote: > The configuration consists of a full file, and the choice for some > option may depend on others. That way you could *never* change anything nor upgrade systems. Get a new firefox version, and the whole binary blob profile may completely

Bug#780797: openssh-server: modifies the user configuration

On Sat, 2015-03-21 at 07:12 +0100, Christoph Anton Mitterer wrote: > On Sat, 2015-03-21 at 00:51 -0400, Chris Knadle wrote: > > § 10.7.3 Behavior > > Configuration file handling must conform to the following > > behavior: > > • local changes must be preserved during a package upgra

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-21 07:12:08 +0100, Christoph Anton Mitterer wrote: > On Sat, 2015-03-21 at 00:51 -0400, Chris Knadle wrote: > > § 10.7.3 Behavior > > Configuration file handling must conform to the following behavior: > > • local changes must be preserved during a package upgrade > Well, s

Bug#780797: openssh-server: modifies the user configuration

On Sat, 2015-03-21 at 00:51 -0400, Chris Knadle wrote: > § 10.7.3 Behavior > Configuration file handling must conform to the following behavior: > • local changes must be preserved during a package upgrade Well, strictly speaking, if the user had let that option at it's Debian default

Bug#780797: openssh-server: modifies the user configuration

The issue here is that the openssh-server package modifies two config files in /etc without any warning to the user, and that's a clear Policy violation IMHO: § 10.7.3 Behavior Configuration file handling must conform to the following behavior: • local changes must be preserved during

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-20 10:03, Vincent Lefevre wrote: On 2015-03-20 05:54:03 +0100, Christoph Anton Mitterer wrote: On Fri, 2015-03-20 at 03:06 +0100, Vincent Lefevre wrote: [...] > In such a case, with such defaults, you won't be able to ssh into > the machine, so that the AcceptEnv value doesn't matte

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-20 05:54:03 +0100, Christoph Anton Mitterer wrote: > On Fri, 2015-03-20 at 03:06 +0100, Vincent Lefevre wrote: > > So, it's even easier: when the admin installs some software using, > > say, LC_ALLOW_ARBITRARY_ACCESS, he can change the sshd config to > > disallow this variable. > Sorry,

Bug#780797: openssh-server: modifies the user configuration

On Fri, 2015-03-20 at 03:06 +0100, Vincent Lefevre wrote: > So, it's even easier: when the admin installs some software using, > say, LC_ALLOW_ARBITRARY_ACCESS, he can change the sshd config to > disallow this variable. Sorry, but this is a highly disturbing and simply plain wrong approach to secu

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-20 01:44:06 +0100, Christoph Anton Mitterer wrote: > On Fri, 2015-03-20 at 00:46 +0100, Vincent Lefevre wrote: > > The fact is that Debian doesn't use non-standard LC_* variables. > People may run *any* software, including their own homebrewed stuff. So, it's even easier: when the admi

Bug#780797: openssh-server: modifies the user configuration

On Fri, 2015-03-20 at 00:46 +0100, Vincent Lefevre wrote: > Unfortunately, some admins want to stick with Debian's default config > (even when this config has a well-known security vulnerability[*]). Well to be honest, apart from the fact that many people may not consider AcceptEnv as security cri

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-20 00:09:48 +0100, Christoph Anton Mitterer wrote: > On Thu, 2015-03-19 at 23:58 +0100, Vincent Lefevre wrote: > > But at least the user could use non-standard (thus unused by the > > system) variables to pass information to the remote side (in my case, > > I used LC_CHARMAP). After thi

Bug#780797: openssh-server: modifies the user configuration

On Thu, 2015-03-19 at 23:58 +0100, Vincent Lefevre wrote: > But at least the user could use non-standard (thus unused by the > system) variables to pass information to the remote side (in my case, > I used LC_CHARMAP). After this change only the standard variables can > be passed, but one shouldn'

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-19 23:44:00 +0100, Christoph Anton Mitterer wrote: > On Thu, 2015-03-19 at 23:37 +0100, Vincent Lefevre wrote: > > BTW, it's also annoying that the user can no longer pass env variables > > (e.g. the charset) to the remote side for machines where the admin > > just uses Debian's default

Bug#780797: openssh-server: modifies the user configuration

On Thu, 2015-03-19 at 19:02 +, Colin Watson wrote: > Please read the original report in which Vincent explicitly said that he > had made local changes to that file. Ah, I thought you'd also update modified files. > Absolutely not. This is not a reasonable question to ask most users and > I'

Bug#780797: openssh-server: modifies the user configuration

On Thu, 2015-03-19 at 23:37 +0100, Vincent Lefevre wrote: > BTW, it's also annoying that the user can no longer pass env variables > (e.g. the charset) to the remote side for machines where the admin > just uses Debian's default. But that was the case before either, at least except those matching

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-19 19:02:14 +, Colin Watson wrote: > On Thu, Mar 19, 2015 at 07:18:38PM +0100, Christoph Anton Mitterer wrote: > > and/or > > - the migration been managed via e.g. debconf (and the user been > > interactively asked) > > Absolutely not. This is not a reasonable question to ask most

Bug#780797: openssh-server: modifies the user configuration

On 2015-03-19 16:31:22 +, Colin Watson wrote: > What did the file look like before this upgrade? I've attached the file with some settings hidden (the AllowUsers line was at least modified, as I just put local users). -- Vincent Lefèvre - Web: 100% accessible valid

Bug#780797: openssh-server: modifies the user configuration

On Thu, Mar 19, 2015 at 07:18:38PM +0100, Christoph Anton Mitterer wrote: > On Thu, 2015-03-19 at 16:31 +, Colin Watson wrote: > > What did the file look like before this upgrade? > He probably had the Debian default which was then auto-migrated? Please read the original report in which Vince

Bug#780797: openssh-server: modifies the user configuration

On Thu, 2015-03-19 at 16:31 +, Colin Watson wrote: > What did the file look like before this upgrade? He probably had the Debian default which was then auto-migrated? In general I think that old systems *SHOULD* actually be kept up to date and that it's good to have them migrated. AFAICS, LC_

Bug#780797: openssh-server: modifies the user configuration

On Thu, Mar 19, 2015 at 05:05:44PM +0100, Vincent Lefevre wrote: > I made local changes to the /etc/ssh/sshd_config file, and the > openssh-server modified this file, breaking my configuration. > > I now have: > > AcceptEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION > LC_MEASUREMENT L

Bug#780797: openssh-server: modifies the user configuration

Package: openssh-server Version: 1:6.7p1-4 Severity: serious I made local changes to the /etc/ssh/sshd_config file, and the openssh-server modified this file, breaking my configuration. I now have: AcceptEnv LANG LC_ADDRESS LC_COLLATE LC_CTYPE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES LC_MON