[Bug 3946] New: When establishing an SSH connection, according to the latest rules, is it necessary to perform validity checks on all usernames, regardless of their source?

[bugzilla-daemon at mindrot.org]

https://bugzilla.mindrot.org/show_bug.cgi?id=3946

            Bug ID: 3946
           Summary: When establishing an SSH connection, according to the
                    latest rules, is it necessary to perform validity
                    checks on all usernames, regardless of their source?
           Product: Portable OpenSSH
           Version: 10.3p1
          Hardware: Other
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: ssh
          Assignee: unassigned-bugs at mindrot.org
          Reporter: 1793702515 at qq.com

When establishing an SSH connection, according to a previous commit:
https://github.com/openssh/openssh-portable/commit/35d5917652106aede47621bb3f64044604164043
"usernames supplied via the configuration file as literals (i.e.
include no % expansion characters) are not subject to these
validity checks. This allows usernames that contain arbitrary
characters to be used, but only via configuration files."

But in the latest commit:
https://github.com/openssh/openssh-portable/commit/76685c9b09a66435cd2ad8373246adf1c53976d3
"move username validity check for usernames specified on
the commandline to earlier in main(), specifically before some contexts
where
a username with shell characters might be expanded by a %u directive in
ssh_config."

Does this mean that the channel where an arbitrary character username
can be configured in the configuration file is no longer valid? Do all
usernames now need to pass a validity check, regardless of the source
of the username?

Looking forward to your reply, I would greatly appreciate it.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.