Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SSH_DISABLE_PASSWORD_AUTH affects LOCALE #130

Open
jp-hoehmann opened this issue Apr 23, 2018 · 3 comments
Open

SSH_DISABLE_PASSWORD_AUTH affects LOCALE #130

jp-hoehmann opened this issue Apr 23, 2018 · 3 comments

Comments

@jp-hoehmann
Copy link

jp-hoehmann commented Apr 23, 2018
edited
Loading

Setting SSH_DISABLE_PASSWORD_AUTH=true will currently set UsePAM to no in /etc/ssh/sshd_config. This has the unfortunate side effect that /etc/default/locale is not used when logging in via ssh (using publickey authentication).

This leads to LOCALE and LC_* keeping the values they had on the system the user is logging in from, which can lead to a broken locale, when logging in from a non-linux machine. Here is an example of an error one might see due to this (LC_CTYPE is UTF-8, which is the default on macOS, but invalid on linux):

user@Box:~$ cat /etc/default/locale
#  File generated by update-locale
LANG=en_DK.UTF-8
LC_CTYPE=en_DK.UTF-8
user@Box:~$ perl -e exit
perl: warning: Setting locale failed.
perl: warning: Please check that your locale settings:
	LANGUAGE = (unset),
	LC_ALL = (unset),
	LC_CTYPE = "UTF-8",
	LANG = (unset)
    are supported and installed on your system.
perl: warning: Falling back to the standard locale ("C").
@jp-hoehmann
Copy link
Author

Worth mentioning: The relevant PAM configuration file is /etc/pam.d/sshd.

@quozl
Copy link

quozl commented Apr 23, 2018

Raspberry Pi Foundation recommends UsePAM no, in Securing your Raspberry Pi. But they don't say why.

PAM is a complex subsystem, much more than authentication. One of the things PAM does is accept the locale from the client. Details in an answer on serverfault.com SSH locale wrong.

However, this exposes the system to an external source of data which is then trusted as a lookup key.

Arguably, if we're giving an SSH unrestricted command capability, we need not care about also protecting against hostile environment variables on the SSH client system.

I don't know what else misbehaves as a result of enabling UsePAM.

@jp-hoehmann
Copy link
Author

PAM is a complex subsystem, much more than authentication.

Agreed, PAM is a complex beast. Setting UsePAM no per default would definitely be a sensible choice. The current situation (where PAM is used if and only if SSH_DISABLE_PASSWORD_AUTH=false) is however suboptimal, since the user won't expect that option to have an impact on anything besides password authentication.

One of the things PAM does is accept the locale from the client […] this exposes the system to an external source of data which is then trusted as a lookup key.

Just to be sure we are on the same page: This issue is not about getting the locale from the client. The locale from the client is actually still loaded by sshd itself, if PAM is disabled. Sorry if I was unclear about that.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@quozl @jp-hoehmann