Dan Fuhry
2018-Jun-21 16:17 UTC
[PATCH] [1/1] Allow underscores in user environment string
Hi all, I've noticed that OpenSSH 7.7 adds stricter validation of user environment strings from authorized_keys files. While strict validation is a good thing from a security perspective, this new change specifically blocks underscores which are common to include in a user environment string. This results in the key being rejected outright. Including underscores in a user environment is a relatively common use case, for example setting LC_ALL. In our use case, we are using a perl script to fetch public keys from LDAP and setting an environment variable with the user's LDAP username, resulting in authorized_keys lines like: environment="LDAP_USER=jdoe" ssh-ed25519 ... This generates a log message like: bad key options: invalid environment string The attached patch is against the released openssh-7.7 nonportable release, however my testing took place on a portable (Linux) system. Given the simplicity of the patch I hope that is not an issue. I am happy to add a test case for this if that would be appropriate. Cross reference to Ubuntu bug: https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/1771011 Regards, Dan Fuhry -------------- next part -------------- A non-text attachment was scrubbed... Name: permit-underscore-in-user-environment.patch Type: text/x-patch Size: 745 bytes Desc: not available URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20180621/ea7329cf/attachment.bin>
Hi Dan, Dan Fuhry :> I've noticed that OpenSSH 7.7 adds stricter validation of user > environment strings from authorized_keys files. While strict > validation is a good thing from a security perspective, this new > change specifically blocks underscores which are common to include in > a user environment string. This results in the key being rejected > outright. Including underscores in a user environment is a relatively > common use case, for example setting LC_ALL.Looks like this issue was fixed already : https://github.com/openssh/openssh-portable/commit/484fc023af92ee30bc99eb9798235a00e8f929cc commit 484fc023af92ee30bc99eb9798235a00e8f929cc Author: djm at openbsd.org <djm at openbsd.org> Date: Fri Apr 6 04:15:45 2018 +0000 upstream: relax checking of authorized_keys environment="..." options to allow underscores in variable names (regression introduced in 7.7). bz2851, ok deraadt@ OpenBSD-Commit-ID: 69690ffe0c97ff393f2c76d25b4b3d2ed4e4ac9c>From what I see, there has been no release after that though. Latest releaseis 7.7 and does not have the patch. Hope this helps, Flavien.
Damien Miller
2018-Jun-22 00:26 UTC
[PATCH] [1/1] Allow underscores in user environment string
On Thu, 21 Jun 2018, Flavien wrote:> From what I see, there has been no release after that though. Latest release > is 7.7 and does not have the patch.It's committed on the V_7_7 stable branch if you want to collect it from there. We try (somewhat unsuccessfully) to make releases every three months, and almost never less frequently than six monthtly. So you won't have to wait too long for the next one anyway. -d