Hi all, I've noticed that OpenSSH 7.7 adds stricter validation of user environment strings from authorized_keys files. While strict validation is a good thing from a security perspective, this new change specifically blocks underscores which are common to include in a user environment string. This results in the key being rejected outright. Including underscores in a user environment is a relatively common use case, for example setting LC_ALL. In our use case, we are using a perl script to fetch public keys from LDAP and setting an environment variable with the user's LDAP username, resulting in authorized_keys lines like: environment="LDAP_USER=jdoe" ssh-ed25519 ... This generates a log message like: bad key options: invalid environment string The attached patch is against the released openssh-7.7 nonportable release, however my testing took place on a portable (Linux) system. Given the simplicity of the patch I hope that is not an issue. I am happy to add a test case for this if that would be appropriate. Cross reference to Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1771011 Regards, Dan Fuhry
diff -Naur ssh.a/auth-options.c ssh.b/auth-options.c --- ssh.a/auth-options.c 2018-03-14 01:35:40.000000000 -0400 +++ ssh.b/auth-options.c 2018-06-21 12:03:14.136186424 -0400 @@ -384,14 +384,15 @@ } if ((opt = opt_dequote(&opts, &errstr)) == NULL) goto fail; - /* env name must be alphanumeric and followed by '=' */ + /* env name must be alphanumeric + underscores and + followed by '=' */ if ((tmp = strchr(opt, '=')) == NULL) { free(opt); errstr = "invalid environment string"; goto fail; } for (cp = opt; cp < tmp; cp++) { - if (!isalnum((u_char)*cp)) { + if (!isalnum((u_char)*cp) && (u_char)*cp != '_') { free(opt); errstr = "invalid environment string"; goto fail;
_______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev