Re: [PATCH] [1/1] Allow underscores in user environment string

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

 



Hi Dan,


Dan Fuhry :
> I've noticed that OpenSSH 7.7 adds stricter validation of user
> environment strings from authorized_keys files. While strict
> validation is a good thing from a security perspective, this new
> change specifically blocks underscores which are common to include in
> a user environment string. This results in the key being rejected
> outright. Including underscores in a user environment is a relatively
> common use case, for example setting LC_ALL.


Looks like this issue was fixed already :


https://github.com/openssh/openssh-portable/commit/484fc023af92ee30bc99eb9798235a00e8f929cc

    commit 484fc023af92ee30bc99eb9798235a00e8f929cc
    Author: djm@xxxxxxxxxxx <djm@xxxxxxxxxxx>
    Date:   Fri Apr 6 04:15:45 2018 +0000

	upstream: relax checking of authorized_keys environment="..."
	
	options to allow underscores in variable names (regression introduced in
	7.7). bz2851, ok deraadt@
	
	OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c


>From what I see, there has been no release after that though. Latest release
is 7.7 and does not have the patch.


Hope this helps,

Flavien.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev@xxxxxxxxxxx
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev



[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

[Index of Archives]     [Linux ARM Kernel]     [Linux ARM]     [Linux Omap]     [Fedora ARM]     [IETF Annouce]     [Security]     [Bugtraq]     [Linux]     [Linux OMAP]     [Linux MIPS]     [ECOS]     [Asterisk Internet PBX]     [Linux API]

  Powered by Linux