[PATCH] [1/1] Allow underscores in user environment string

Dan Fuhry dan at fuhry.com
Fri Jun 22 02:17:12 AEST 2018

Hi all,
I've noticed that OpenSSH 7.7 adds stricter validation of user
environment strings from authorized_keys files. While strict
validation is a good thing from a security perspective, this new
change specifically blocks underscores which are common to include in
a user environment string. This results in the key being rejected
outright. Including underscores in a user environment is a relatively
common use case, for example setting LC_ALL.

In our use case, we are using a perl script to fetch public keys from
LDAP and setting an environment variable with the user's LDAP
username, resulting in authorized_keys lines like:

  environment="LDAP_USER=jdoe" ssh-ed25519 ...

This generates a log message like:

  bad key options: invalid environment string

The attached patch is against the released openssh-7.7 nonportable
release, however my testing took place on a portable (Linux) system.
Given the simplicity of the patch I hope that is not an issue.

I am happy to add a test case for this if that would be appropriate.

Cross reference to Ubuntu bug:

Dan Fuhry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: permit-underscore-in-user-environment.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180621/ea7329cf/attachment.bin>

More information about the openssh-unix-dev mailing list