Bug 2851 - Env name in environment options is restricted to be alphanumeric
Summary: Env name in environment options is restricted to be alphanumeric
Status: CLOSED FIXED
Alias: None
Product: Portable OpenSSH
Classification: Unclassified
Component: sshd (show other bugs)
Version: -current
Hardware: Other Linux
: P5 major
Assignee: Assigned to nobody
URL:
Keywords:
Depends on:
Blocks: V_7_8
  Show dependency treegraph
 
Reported: 2018-04-06 06:16 AEST by Sebastian Roland
Modified: 2018-10-19 17:17 AEDT (History)
1 user (show)

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Sebastian Roland 2018-04-06 06:16:56 AEST 
The env name in the authorized_keys environment options has been restricted to only contain alphanummeric chars. If someone uses a key where that condition is not fulfilled login will fail. There might be a lot of environment names that contain underscores in the wild that will cause login failures. Either tighten condition or at least document it in the ChangeLog.
Comment 1 Sebastian Roland 2018-04-06 06:18:18 AEST 
s/tighten/loose
Comment 2 Damien Miller 2018-04-06 13:13:20 AEST 
Good point, I'll relax the check
Comment 3 Damien Miller 2018-04-06 14:22:02 AEST 
I've just committed a fix to allow underscores. This will be in OpenSSH 7.8

commit 40f5f03544a07ebd2003b443d42e85cb51d94d59 (HEAD -> master, origin/master, origin/HEAD)
Author: djm@openbsd.org <djm@openbsd.org>
Date:   Fri Apr 6 04:15:45 2018 +0000

    upstream: relax checking of authorized_keys environment="..."
    
    options to allow underscores in variable names (regression introduced in
    7.7). bz2851, ok deraadt@
    
    OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c
Comment 4 Damien Miller 2018-10-19 17:17:20 AEDT 
Close RESOLVED bugs with the release of openssh-8.0