Doesn't accept environment variable with underscore in its name in AuthorizedKeysFile

Bug #1771011 reported by Peter Poliak on 2018-05-13
This bug affects 1 person
Affects Status Importance Assigned to Milestone
portable OpenSSH
openssh (Ubuntu)

Bug Description

If environment variable name defined in AuthorizedKeysFile contains underscore character (environment="FOO_BAR=1" ...), sshd refuses connection and throws following error:
authorized_keys:1: bad key options: invalid environment string

Joshua Powers (powersj) wrote :

Hi, thanks for taking the time to file a bug. Based on that last message from SSH it makes me wonder if the syntax you have is correct.

1) Can you confirm PermitUserEnvironment is set to yes in your sshd_config?

2) Can you provide more details of the line in question in your authorized keys file? For example, if I add:

environment="FOO_BAR=1" ssh-rsa AAAAB

then connect:

root@x:~# env | grep -i foo

This question may also be better suited for the community forums as it is more of a support issue.

Changed in openssh (Ubuntu):
status: New → Incomplete
importance: Undecided → Low
Joshua Powers (powersj) wrote :

Confirmed this in a Cosmic container this morning. It appears the version in cosmic has an issue with the underscore.

Steps to reproduce:
1. lxc launch ubuntu-daily:c c
2. lxc exec c bash
3. echo "PermitUserEnvironment yes" > /etc/ssh/sshd_config
4. ssh-import-id <your id>
5. add environment="FOO_BAR=1" to start of ssh key line ~/.ssh/authorized_keys
6. attempt to ssh to container and get Permission denined
7. remove the underscore, attempt to ssh again, and ssh will be sucessful

Changed in openssh (Ubuntu):
status: Incomplete → Confirmed
importance: Low → High
tags: added: cosmic
Joshua Powers (powersj) wrote :

This did not reproduce in xenial or bionic, so that narrows it down to a change between 7.7p1-2 (cosmic) and 7.6p1-4 (bionic)

Changed in openssh (Ubuntu):
status: Confirmed → Triaged
Dan Fuhry (danfuhry) wrote :

Patch submitted upstream:

The patch in my ML post above applies to the OpenBSD version of OpenSSH. I've attached another version that applies to the portable release 7.7p1 here.

The attachment "0001-permit-underscore-in-user-environment.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

tags: added: patch
tags: added: server-next

Will be in 7.7p2 per (next stable release)

Upstream Bug:

Seems to be broken in 7.7 only so no need to SRU.

Since Cosmic is still open and auto-syncing I prepared that as fix [1] for Debian to sync it in.


This was uploaded to Debian and is in Cosmic-Proposed.
The Changelog will auto-close this once migrated.

Changed in openssh (Ubuntu):
status: Triaged → Fix Committed

Released with 1:7.7p1-3 since a while - handing in cosmic-proposed.
None of the issues seem related to me, for now I retriggered the tests to run with the new versions and hopefully resolve by itself.

Launchpad Janitor (janitor) wrote :

This bug was fixed in the package openssh - 1:7.7p1-3

openssh (1:7.7p1-3) unstable; urgency=medium

  [ Colin Watson ]
  * Adjust git-dpm tagging configuration.
  * Remove no-longer-used Lintian overrides from openssh-server and ssh.
  * Add Documentation keys to ssh-agent.service, ssh.service, and

  [ Juri Grabowski ]
  * Add with ssh support.

  [ Christian Ehrhardt ]
  * Fix unintentional restriction of authorized keys environment options
    to be alphanumeric (closes: #903474, LP: #1771011).

 -- Colin Watson <email address hidden> Tue, 10 Jul 2018 16:07:16 +0100

Changed in openssh (Ubuntu):
status: Fix Committed → Fix Released

one test needed trigger with new openmpi, done now

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.