Bug 2851

Summary: Env name in environment options is restricted to be alphanumeric
Product: Portable OpenSSH Reporter: Sebastian Roland <seroland86>
Component: sshdAssignee: Assigned to nobody <unassigned-bugs>
Status: CLOSED FIXED    
Severity: major CC: djm
Priority: P5    
Version: -current   
Hardware: Other   
OS: Linux   
Bug Depends on:    
Bug Blocks: 2852    

Description Sebastian Roland 2018-04-06 06:16:56 AEST 
The env name in the authorized_keys environment options has been restricted to only contain alphanummeric chars. If someone uses a key where that condition is not fulfilled login will fail. There might be a lot of environment names that contain underscores in the wild that will cause login failures. Either tighten condition or at least document it in the ChangeLog.
Comment 1 Sebastian Roland 2018-04-06 06:18:18 AEST 
s/tighten/loose
Comment 2 Damien Miller 2018-04-06 13:13:20 AEST 
Good point, I'll relax the check
Comment 3 Damien Miller 2018-04-06 14:22:02 AEST 
I've just committed a fix to allow underscores. This will be in OpenSSH 7.8

commit 40f5f03544a07ebd2003b443d42e85cb51d94d59 (HEAD -> master, origin/master, origin/HEAD)
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 6 04:15:45 2018 +0000

    upstream: relax checking of authorized_keys environment="..."
    
    options to allow underscores in variable names (regression introduced in
    7.7). bz2851, ok deraadt@
    
    OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
Comment 4 Damien Miller 2018-10-19 17:17:20 AEDT 
Close RESOLVED bugs with the release of openssh-8.0