Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: OpenSSH: Dev

Invalid user name: function okname() in scp.c

 

 

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded


reza.hedayat at adnovum

Mar 6, 2012, 9:57 AM

Post #1 of 7 (928 views)
Permalink
Invalid user name: function okname() in scp.c

Hi OpenSSH developers

In the source file *scp.c* there is a function called *okname(char
*cp0)* that validates the entered username by using the scp command as
follows:
*
*[ Fragment scp.c start ]
...

int okname(char *cp0)
{
int c;
char *cp;

cp = cp0;
do {
c = (int)*cp;
if (c & 0200)
goto bad;
if (!isalpha(c) && !isdigit(c)) {
switch (c) {
case '\'':
case '"':
case '`':
case ' ':
* case '#':*
goto bad;
default:
break;
}
}
} while (*++cp);
return (1);

bad: fprintf(stderr, "%s: invalid user name\n", cp0);
return (0);
}

...
[ Fragment scp.c end ]

Thereby, usernames that contain the hash sign (#) are rejected. Is there
a good reason why this logic was introduced?
If there is no reason, so is it possible to remove the mentioned
case-statement?

I thank you in advance for your help and remain with best wishes
Reza Hedayat

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


keisial at gmail

Mar 6, 2012, 10:40 AM

Post #2 of 7 (885 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

On 06/03/12 18:57, Reza Hedayat wrote:
> Hi OpenSSH developers
>
> In the source file *scp.c* there is a function called *okname(char
> *cp0)* that validates the entered username by using the scp command as
> follows:
>
> ( Fragment scp.c skipped)
>
> Thereby, usernames that contain the hash sign (#) are rejected. Is
> there a good reason why this logic was introduced?
> If there is no reason, so is it possible to remove the mentioned
> case-statement?
>
> I thank you in advance for your help and remain with best wishes
> Reza Hedayat
It's trying to avoiod shell special characters (quotes, backticks,
spaces...). The # introduces a comment in the shell (would need
escaping), so that's surely the reason it's forbidden.
You could replace it if you were sure the username is never used unquoted.
Having a # in the user name is very rare, though.

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


reza.hedayat at adnovum

Mar 7, 2012, 1:34 AM

Post #3 of 7 (908 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

Hi 聲gel

Thanks a lot for your quick answer.
You're right, this use case is very rare, but unfortunately there exist
some cases. :(

Cheers
Reza




On 03/06/12 19:40, 聲gel Gonz嫮ez wrote:
> On 06/03/12 18:57, Reza Hedayat wrote:
>> Hi OpenSSH developers
>>
>> In the source file *scp.c* there is a function called *okname(char
>> *cp0)* that validates the entered username by using the scp command as
>> follows:
>>
>> ( Fragment scp.c skipped)
>>
>> Thereby, usernames that contain the hash sign (#) are rejected. Is
>> there a good reason why this logic was introduced?
>> If there is no reason, so is it possible to remove the mentioned
>> case-statement?
>>
>> I thank you in advance for your help and remain with best wishes
>> Reza Hedayat
> It's trying to avoiod shell special characters (quotes, backticks,
> spaces...). The # introduces a comment in the shell (would need
> escaping), so that's surely the reason it's forbidden.
> You could replace it if you were sure the username is never used unquoted.
> Having a # in the user name is very rare, though.
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


reza.hedayat at adnovum

Mar 14, 2012, 4:07 AM

Post #4 of 7 (884 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

Hi 聲gel

I just wanted to enquire if there is a chance that you will remove the
hash sign (#) validation from the OpenSSH code base.

Even the attempt to escape the # character results in rejection of the
complete command by SCP.
SSH client and SFTP work perfectly with # characters in user names, it
is just SCP that rejects it.
On the server side there are IBM AS/400 systems having usernames
containing # characters, which are completely valid, legal and
commonplace on that platform.

Best wishes
Reza



On 03/07/12 10:34, Reza Hedayat wrote:
> Hi 聲gel
>
> Thanks a lot for your quick answer.
> You're right, this use case is very rare, but unfortunately there
> exist some cases. :(
>
> Cheers
> Reza
>
>
>
>
> On 03/06/12 19:40, 聲gel Gonz嫮ez wrote:
>> On 06/03/12 18:57, Reza Hedayat wrote:
>>> Hi OpenSSH developers
>>>
>>> In the source file *scp.c* there is a function called *okname(char
>>> *cp0)* that validates the entered username by using the scp command as
>>> follows:
>>>
>>> ( Fragment scp.c skipped)
>>>
>>> Thereby, usernames that contain the hash sign (#) are rejected. Is
>>> there a good reason why this logic was introduced?
>>> If there is no reason, so is it possible to remove the mentioned
>>> case-statement?
>>>
>>> I thank you in advance for your help and remain with best wishes
>>> Reza Hedayat
>> It's trying to avoiod shell special characters (quotes, backticks,
>> spaces...). The # introduces a comment in the shell (would need
>> escaping), so that's surely the reason it's forbidden.
>> You could replace it if you were sure the username is never used
>> unquoted.
>> Having a # in the user name is very rare, though.
>

--
AdNovum Informatik AG
Reza Hedayat, Software Engineer
Dipl. Informatik-Ing. FH

Roentgenstrasse 22, CH-8005 Zurich
mailto:reza.hedayat [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, Singapore, Zurich (HQ)
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


keisial at gmail

Mar 16, 2012, 5:21 PM

Post #5 of 7 (876 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

On 14/03/12 12:07, Reza Hedayat wrote:
> Hi 聲gel
>
> I just wanted to enquire if there is a chance that you will remove the
> hash sign (#) validation from the OpenSSH code base.
>
> Even the attempt to escape the # character results in rejection of the
> complete command by SCP.
> SSH client and SFTP work perfectly with # characters in user names, it
> is just SCP that rejects it.
> On the server side there are IBM AS/400 systems having usernames
> containing # characters, which are completely valid, legal and
> commonplace on that platform.
>
> Best wishes
> Reza
Hello Reza,
I gave it a go. See the attached patch.
I just allowed # in the middle of a word, which _should_ be safe to do,
as in it's only special for a shell as the first token character (per
POSIX rules).
It seems to work fine.

Best regards
Attachments: okname-v1.patch (0.33 KB)


reza.hedayat at adnovum

Apr 11, 2012, 1:11 AM

Post #6 of 7 (825 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

Hi 聲gel

Sorry for my late response, but your solution approach was in
clarification.
Unfortunately, all user names on the IBM AS/400 systems of our customer
have a hash sign at the *first position*.
Therefore, your solution will not solve this problem.

As I've written in my last mail, SSH client and SFTP work perfectly with
# characters in user names.
Therefore, SCP should also work identically.
So, why can't we just adapt the logic in SCP and allow # characters like
in SSH and SFTP?

Best wishes
Reza


On 03/17/12 01:21, 聲gel Gonz嫮ez wrote:
> On 14/03/12 12:07, Reza Hedayat wrote:
>> Hi 聲gel
>>
>> I just wanted to enquire if there is a chance that you will remove the
>> hash sign (#) validation from the OpenSSH code base.
>>
>> Even the attempt to escape the # character results in rejection of the
>> complete command by SCP.
>> SSH client and SFTP work perfectly with # characters in user names, it
>> is just SCP that rejects it.
>> On the server side there are IBM AS/400 systems having usernames
>> containing # characters, which are completely valid, legal and
>> commonplace on that platform.
>>
>> Best wishes
>> Reza
> Hello Reza,
> I gave it a go. See the attached patch.
> I just allowed # in the middle of a word, which _should_ be safe to do,
> as in it's only special for a shell as the first token character (per
> POSIX rules).
> It seems to work fine.
>
> Best regards
>
>
>
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


reza.hedayat at adnovum

May 16, 2012, 8:09 AM

Post #7 of 7 (779 views)
Permalink
Re: Invalid user name: function okname() in scp.c [In reply to]

Hi 聲gel

I've just wanted to enquire about the status of the discussed problem
concerning the prohibition of hash sign characters in usernames by using
scp.
Is there a chance that you will remove the complete constraint from the
function okname()?.

Best wishes
Reza


On 04/11/12 10:11, Reza Hedayat wrote:
> Hi 聲gel
>
> Sorry for my late response, but your solution approach was in
> clarification.
> Unfortunately, all user names on the IBM AS/400 systems of our
> customer have a hash sign at the *first position*.
> Therefore, your solution will not solve this problem.
>
> As I've written in my last mail, SSH client and SFTP work perfectly
> with # characters in user names.
> Therefore, SCP should also work identically.
> So, why can't we just adapt the logic in SCP and allow # characters
> like in SSH and SFTP?
>
> Best wishes
> Reza
>
>
> On 03/17/12 01:21, 聲gel Gonz嫮ez wrote:
>> On 14/03/12 12:07, Reza Hedayat wrote:
>>> Hi 聲gel
>>>
>>> I just wanted to enquire if there is a chance that you will remove the
>>> hash sign (#) validation from the OpenSSH code base.
>>>
>>> Even the attempt to escape the # character results in rejection of the
>>> complete command by SCP.
>>> SSH client and SFTP work perfectly with # characters in user names, it
>>> is just SCP that rejects it.
>>> On the server side there are IBM AS/400 systems having usernames
>>> containing # characters, which are completely valid, legal and
>>> commonplace on that platform.
>>>
>>> Best wishes
>>> Reza
>> Hello Reza,
>> I gave it a go. See the attached patch.
>> I just allowed # in the middle of a word, which _should_ be safe to do,
>> as in it's only special for a shell as the first token character (per
>> POSIX rules).
>> It seems to work fine.
>>
>> Best regards
>>
>>
>>

--
AdNovum Informatik AG
Reza Hedayat, Software Engineer
Dipl. Informatik-Ing. FH

Roentgenstrasse 22, CH-8005 Zurich
mailto:reza.hedayat [at] adnovum
phone: +41 44 272 6111, fax: +41 44 272 6312
http://www.adnovum.ch

AdNovum Locations: Bern, Budapest, Singapore, Zurich (HQ)

_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev [at] mindrot
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev

OpenSSH dev RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.