[PATCH] [1/1] Allow underscores in user environment string

Flavien flavien-ssh at lebarbe.net
Fri Jun 22 06:45:50 AEST 2018


Hi Dan,


Dan Fuhry :
> I've noticed that OpenSSH 7.7 adds stricter validation of user
> environment strings from authorized_keys files. While strict
> validation is a good thing from a security perspective, this new
> change specifically blocks underscores which are common to include in
> a user environment string. This results in the key being rejected
> outright. Including underscores in a user environment is a relatively
> common use case, for example setting LC_ALL.


Looks like this issue was fixed already :


https://github.com/openssh/openssh-portable/commit/484fc023af92ee30bc99eb9798235a00e8f929cc

    commit 484fc023af92ee30bc99eb9798235a00e8f929cc
    Author: djm at openbsd.org <djm at openbsd.org>
    Date:   Fri Apr 6 04:15:45 2018 +0000

	upstream: relax checking of authorized_keys environment="..."
	
	options to allow underscores in variable names (regression introduced in
	7.7). bz2851, ok deraadt@
	
	OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c


>From what I see, there has been no release after that though. Latest release
is 7.7 and does not have the patch.


Hope this helps,

Flavien.


More information about the openssh-unix-dev mailing list