Hashes in scp usernames (OpenSSH bug 472)

Christopher Key cjk32 at cam.ac.uk
Sun Nov 9 13:49:38 PST 2008


Hello,

I've come upon OpenSSH bug 472, whereby scp refuses usernames containing 
a '#' character, dieing with 'invalid user name'.  Both rsync and ssh 
accept such usernames, and after looking at 
/usr/src/crypto/openssh/scp.c, it would appear that scp also allows such 
usernames for the source, but not the destination.

I've several questions:

1) Is there any specific reason why scp behaves like this, and 
specifically why does it only attempt to validate the destination user 
name and not the source?

2) Assuming it is safe to drop the username validation, I can quite 
happily modify the code as appropriate.  However, I'm not sure how to 
rebuild and update with minimum fuss.  I really only need to rebuild scp 
and install the new binary, can I do this easily without a full make 
buildworld; make installworld?

3) Assuming that there's no additional reason not to remove the username 
validation, how should I go about submitting a change request to get 
this modification made in CURRENT, and MFCed as appropriate?

Kind Regards,

Chris Key




More information about the freebsd-questions mailing list