[PATCH] [1/1] Allow underscores in user environment string
Dan Fuhry
dan at fuhry.com
Fri Jun 22 02:17:12 AEST 2018
Hi all,
I've noticed that OpenSSH 7.7 adds stricter validation of user
environment strings from authorized_keys files. While strict
validation is a good thing from a security perspective, this new
change specifically blocks underscores which are common to include in
a user environment string. This results in the key being rejected
outright. Including underscores in a user environment is a relatively
common use case, for example setting LC_ALL.
In our use case, we are using a perl script to fetch public keys from
LDAP and setting an environment variable with the user's LDAP
username, resulting in authorized_keys lines like:
environment="LDAP_USER=jdoe" ssh-ed25519 ...
This generates a log message like:
bad key options: invalid environment string
The attached patch is against the released openssh-7.7 nonportable
release, however my testing took place on a portable (Linux) system.
Given the simplicity of the patch I hope that is not an issue.
I am happy to add a test case for this if that would be appropriate.
Cross reference to Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1771011
Regards,
Dan Fuhry
-------------- next part --------------
A non-text attachment was scrubbed...
Name: permit-underscore-in-user-environment.patch
Type: text/x-patch
Size: 745 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180621/ea7329cf/attachment.bin>
More information about the openssh-unix-dev
mailing list