[PATCH] [1/1] Allow underscores in user environment string

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi all,
I've noticed that OpenSSH 7.7 adds stricter validation of user
environment strings from authorized_keys files. While strict
validation is a good thing from a security perspective, this new
change specifically blocks underscores which are common to include in
a user environment string. This results in the key being rejected
outright. Including underscores in a user environment is a relatively
common use case, for example setting LC_ALL.

In our use case, we are using a perl script to fetch public keys from
LDAP and setting an environment variable with the user's LDAP
username, resulting in authorized_keys lines like:

  environment="LDAP_USER=jdoe" ssh-ed25519 ...

This generates a log message like:

  bad key options: invalid environment string

The attached patch is against the released openssh-7.7 nonportable
release, however my testing took place on a portable (Linux) system.
Given the simplicity of the patch I hope that is not an issue.

I am happy to add a test case for this if that would be appropriate.

Cross reference to Ubuntu bug:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1771011

Regards,
Dan Fuhry
diff -Naur ssh.a/auth-options.c ssh.b/auth-options.c
--- ssh.a/auth-options.c	2018-03-14 01:35:40.000000000 -0400
+++ ssh.b/auth-options.c	2018-06-21 12:03:14.136186424 -0400
@@ -384,14 +384,15 @@
 			}
 			if ((opt = opt_dequote(&opts, &errstr)) == NULL)
 				goto fail;
-			/* env name must be alphanumeric and followed by '=' */
+			/* env name must be alphanumeric + underscores and
+			   followed by '=' */
 			if ((tmp = strchr(opt, '=')) == NULL) {
 				free(opt);
 				errstr = "invalid environment string";
 				goto fail;
 			}
 			for (cp = opt; cp < tmp; cp++) {
-				if (!isalnum((u_char)*cp)) {
+				if (!isalnum((u_char)*cp) && (u_char)*cp != '_') {
 					free(opt);
 					errstr = "invalid environment string";
 					goto fail;
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux