[Bug 1346] PAM environment takes precedence over SendEnv

Fri Dec 12 10:45:20 EST 2008

https://bugzilla.mindrot.org/show_bug.cgi?id=1346

--- Comment #7 from Vincent Lefevre <vincent at vinc17.org>  2008-12-12 10:45:19 ---
(In reply to comment #4)
> To me this is not OpenSSH bug. The reporters has to resolve vendor
> issue first, i.e. pam module or login script to preserve environment
> variables related to locale settings.

Concerning the pam module under Debian, this can be seen as a
configuration bug, that can easily be fixed (under Debian 4.0, a.k.a.
etch). First, if /etc/environment contains locale-related settings,
they should be moved to /etc/default/locale as documented. Then the
line

auth       required     pam_env.so envfile=/etc/default/locale

should be commented out since locale-related environment variables
should be passed via SendEnv (I don't think that providing defaults
other than POSIX or C is correct anyway, since there's no guarantee
that specific locales will be compatible with the user's settings on
the client side, and bad settings can trash the terminal).

Now, I'm not convinced that this is not *also* an OpenSSH bug. Said
otherwise, what should come first? PAM or SendEnv settings? The current
behavior is that SendEnv settings come first, then PAM can override
these settings (via sshd-specific configuration, e.g. /etc/pam.d/sshd).
If I understand correctly, according to Jean-Christophe Dubacq, PAM
settings should come first (then they can be overridden by SendEnv).
But I don't see any real reason for that, except that the user has more
control with SendEnv, thus these settings should be applied later.

-- 
Configure bugmail: https://bugzilla.mindrot.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.