username check in scp

Christian Kurz shorty at getuid.de
Fri Feb 9 07:24:00 EST 2001


Hi

a fellow debian developer pointed it out to me, that ssh itself does not
check the username that is provided for login into a remote host, but
that scp checks it. I could verify that the current openssh code from
cvs still has a check for the username in scp.c but not in ssh.c. So I
created the attached small patch to remove the username check from scp.
I hope ít's correct and that you apply it to the source. If it's wrong,
please point me to my mistake, so that I can learn from it. If you don't
want to apply it, then please tell me why. Thank you.

Ciao
     Christian
-- 
When it is incorrect, it is, at least *authoritatively* incorrect.
-- Hitchiker's Guide To The Galaxy
-------------- next part --------------
--- scp.c.orig	Thu Feb  8 21:20:50 2001
+++ scp.c	Thu Feb  8 21:21:21 2001
@@ -207,7 +207,6 @@
 char *colon(char *);
 void lostconn(int);
 void nospace(void);
-int okname(char *);
 void run_err(const char *,...);
 void verifydir(char *);
 
@@ -371,8 +370,6 @@
 		tuser = argv[argc - 1];
 		if (*tuser == '\0')
 			tuser = NULL;
-		else if (!okname(tuser))
-			exit(1);
 	} else {
 		thost = argv[argc - 1];
 		tuser = NULL;
@@ -395,8 +392,6 @@
 				suser = argv[i];
 				if (*suser == '\0')
 					suser = pwd->pw_name;
-				else if (!okname(suser))
-					continue;
 				sprintf(bp,
 				    "%s%s -x -o'FallBackToRsh no' -n -l %s %s %s %s '%s%s%s:%s'",
 				    ssh_program, verbose_mode ? " -v" : "",
@@ -468,8 +463,6 @@
 			suser = argv[i];
 			if (*suser == '\0')
 				suser = pwd->pw_name;
-			else if (!okname(suser))
-				continue;
 		}
 		host = cleanhostname(host);
 		len = strlen(src) + CMDNEEDS + 20;
@@ -1017,28 +1010,6 @@
 	}
 	run_err("%s: %s", cp, strerror(errno));
 	exit(1);
-}
-
-int
-okname(cp0)
-	char *cp0;
-{
-	int c;
-	char *cp;
-
-	cp = cp0;
-	do {
-		c = *cp;
-		if (c & 0200)
-			goto bad;
-		if (!isalpha(c) && !isdigit(c) &&
-		    c != '_' && c != '-' && c != '.' && c != '+')
-			goto bad;
-	} while (*++cp);
-	return (1);
-
-bad:	fprintf(stderr, "%s: invalid user name\n", cp0);
-	return (0);
 }
 
 BUF *
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 241 bytes
Desc: not available
Url : http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20010208/c4f07a36/attachment.bin 


More information about the openssh-unix-dev mailing list