Bug#1008715: libpam-modules: Module pam_motd.so prints motd into stdout which breaks SSH-based services

Wed, 30 Mar 2022 22:45:16 -0700 

Package: libpam-modules
Version: 1.4.0-9+deb11u1
Severity: normal
X-Debbugs-Cc: msl0000023...@gmail.com

Hello.
When using this module with sshd(8) as the default configuration, it prints
MOTD into stdout (file descriptor 1) of the SSH stream. When setting up a
SSH-based service using a delegated login shell or a forced-command key
option, pam_motd.so will prepend the MOTD into the service stream, causing
protocol error.
For example, using the following key options in '.ssh/authorized_keys' would
creating a service that retrieves a screenshot of specified virtual machine:
        
no-agent-forwarding,no-X11-forwarding,no-pty,no-port-forwarding,command="exec 
VBoxManage controlvm <vm-name> screenshotpng /dev/stdout" <public-key>
The screenshot as a PNG stream can then be retrieved from a client-side,
using command similar to:
        ssh <address> -T [-i <private-key>] < /dev/null > screenshot.png 
If pam_motd is enabled for sshd(8) however, it will corrupt the PNG image.
I suggest either printing MOTD to stderr instead, or not printing it at all
when a SSH shell session is requested without a terminal (note the pseudo-
terminal allocation is explicitly disabled via ssh(1) option '-T').


-- System Information:
Debian Release: 11.3
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable')
Architecture: amd64 (x86_64)

Kernel: Linux 5.10.0-8-amd64 (SMP w/6 CPU threads)
Locale: LANG=C.UTF-8, LC_CTYPE=C.UTF-8 (charmap=locale: Cannot set LC_ALL to 
default locale: No such file or directory
UTF-8), LANGUAGE not set
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled

Versions of packages libpam-modules depends on:
ii  debconf [debconf-2.0]  1.5.77
ii  libaudit1              1:3.0-2
ii  libc6                  2.31-13+deb11u2
ii  libcrypt1              1:4.4.18-4
ii  libdb5.3               5.3.28+dfsg1-0.8
ii  libnsl2                1.3.0-2
ii  libpam-modules-bin     1.4.0-9+deb11u1
ii  libpam0g               1.4.0-9
ii  libselinux1            3.1-3
ii  libtirpc3              1.3.1-1

libpam-modules recommends no packages.

libpam-modules suggests no packages.

-- debconf-show failed

Reply via email to