[PATCH] [1/1] Allow underscores in user environment string
Flavien
flavien-ssh at lebarbe.net
Fri Jun 22 06:45:50 AEST 2018
Hi Dan,
Dan Fuhry :
> I've noticed that OpenSSH 7.7 adds stricter validation of user
> environment strings from authorized_keys files. While strict
> validation is a good thing from a security perspective, this new
> change specifically blocks underscores which are common to include in
> a user environment string. This results in the key being rejected
> outright. Including underscores in a user environment is a relatively
> common use case, for example setting LC_ALL.
Looks like this issue was fixed already :
https://github.com/openssh/openssh-portable/commit/484fc023af92ee30bc99eb9798235a00e8f929cc
commit 484fc023af92ee30bc99eb9798235a00e8f929cc
Author: djm at openbsd.org <djm at openbsd.org>
Date: Fri Apr 6 04:15:45 2018 +0000
upstream: relax checking of authorized_keys environment="..."
options to allow underscores in variable names (regression introduced in
7.7). bz2851, ok deraadt@
OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
>From what I see, there has been no release after that though. Latest release
is 7.7 and does not have the patch.
Hope this helps,
Flavien.
More information about the openssh-unix-dev
mailing list