Doesn't accept environment variable with underscore in its name in AuthorizedKeysFile

Hi, thanks for taking the time to file a bug. Based on that last message from SSH it makes me wonder if the syntax you have is correct.

1) Can you confirm PermitUserEnvironment is set to yes in your sshd_config?

2) Can you provide more details of the line in question in your authorized keys file? For example, if I add:

environment="FOO_BAR=1" ssh-rsa AAAAB

then connect:

root@x:~# env | grep -i foo
FOO_BAR=1

This question may also be better suited for the community forums as it is more of a support issue.

Confirmed this in a Cosmic container this morning. It appears the version in cosmic has an issue with the underscore.

Steps to reproduce:
1. lxc launch ubuntu-daily:c c
2. lxc exec c bash
3. echo "PermitUserEnvironment yes" > /etc/ssh/sshd_config
4. ssh-import-id <your id>
5. add environment="FOO_BAR=1" to start of ssh key line ~/.ssh/authorized_keys
6. attempt to ssh to container and get Permission denined
7. remove the underscore, attempt to ssh again, and ssh will be sucessful

This did not reproduce in xenial or bionic, so that narrows it down to a change between 7.7p1-2 (cosmic) and 7.6p1-4 (bionic)

Patch submitted upstream:

https://lists.mindrot.org/pipermail/openssh-unix-dev/2018-June/036990.html

The patch in my ML post above applies to the OpenBSD version of OpenSSH. I've attached another version that applies to the portable release 7.7p1 here.

The attachment "0001-permit-underscore-in-user-environment.patch" seems to be a patch. If it isn't, please remove the "patch" flag from the attachment, remove the "patch" tag, and if you are a member of the ~ubuntu-reviewers, unsubscribe the team.

[This is an automated message performed by a Launchpad user owned by ~brian-murray, for any issues please contact him.]

Will be in 7.7p2 per (next stable release)
  https://github.com/openssh/openssh-portable/commit/484fc023af92ee30bc99eb9798235a00e8f929cc

Upstream Bug:
  https://bugzilla.mindrot.org/show_bug.cgi?id=2851

Seems to be broken in 7.7 only so no need to SRU.

Since Cosmic is still open and auto-syncing I prepared that as fix [1] for Debian to sync it in.

[1]: https://salsa.debian.org/ssh-team/openssh/merge_requests/2

This was uploaded to Debian and is in Cosmic-Proposed.
The Changelog will auto-close this once migrated.

Released with 1:7.7p1-3 since a while - handing in cosmic-proposed.
None of the issues seem related to me, for now I retriggered the tests to run with the new versions and hopefully resolve by itself.

This bug was fixed in the package openssh - 1:7.7p1-3

---------------
openssh (1:7.7p1-3) unstable; urgency=medium

  [ Colin Watson ]
  * Adjust git-dpm tagging configuration.
  * Remove no-longer-used Lintian overrides from openssh-server and ssh.
  * Add Documentation keys to ssh-agent.service, ssh.service, and
    ssh@.service.

  [ Juri Grabowski ]
  * Add rescue.target with ssh support.

  [ Christian Ehrhardt ]
  * Fix unintentional restriction of authorized keys environment options
    to be alphanumeric (closes: #903474, LP: #1771011).

 -- Colin Watson <email address hidden> Tue, 10 Jul 2018 16:07:16 +0100

one test needed trigger with new openmpi, done now