Bug 5764 - PermitOpen functionality should add quotes around username with whitespace
Summary: PermitOpen functionality should add quotes around username with whitespace
Status: CLOSED FIXED
Alias: None
Product: ThinLinc
Classification: Unclassified
Component: VSM Agent (show other bugs)
Version: trunk
Hardware: PC Unknown
: P2 Normal
Target Milestone: 4.6.0
Assignee: Peter Åstrand
URL:
Keywords: derfian_tester, ossman_tester, prosaic
Depends on:
Blocks:
 
Reported: 2016-01-04 08:59 CET by Peter Åstrand
Modified: 2018-09-17 09:25 CEST (History)
2 users (show)

See Also:
Acceptance Criteria:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description Peter Åstrand cendio 2016-01-04 08:59:51 CET 
(From Issue18342)

If you have a username with whitespace, for example a space, and using the PermitOpen feature, then sshd_config will look like:

Match User xxx yyy
    PermitOpen 127.0.0.1:something

This is an invalid configuration and after the SIGHUP, the machine will no longer respond to SSH. The username should be quoted like:

Match User "xxx yyy"
    PermitOpen 127.0.0.1:something
Comment 3 Pierre Ossman cendio 2016-01-08 14:38:28 CET 
There are more characters that confuse sshd. E.g. the user foo""foo:

> PermitOpen none
> # @thinlinc-begin@
> Match User "foo""foo"
>     PermitOpen 127.0.0.1:5901
> # @thinlinc-end@

Gives:

> Jan 08 14:36:26 dhcp-254-99.lkpg.cendio.se sshd[5947]: Missing Match criteria for foo
> Jan 08 14:36:26 dhcp-254-99.lkpg.cendio.se sshd[5947]: /etc/ssh/sshd_config line 157: Bad Match condition

The parser is unfortunately not very bright, so I think the only safe approach is to avoid all its special characters. Currently that list is " \t\r\n\"=". See strdelim() in misc.c.
Comment 5 Karl Mikaelsson cendio 2016-01-19 16:56:50 CET 
Code looks fine, still works for regular usernames.

Has the new fix been installed on the demo system?
Comment 6 Peter Åstrand cendio 2016-01-20 08:39:15 CET 
(In reply to comment #5)
> Code looks fine, still works for regular usernames.
> 
> Has the new fix been installed on the demo system?

Yes, on eudemo. usdemo has also been updated now.
Note You need to log in before you can comment on or make changes to this bug.