_ACCEPTABLE_USER_RE is overly strict

[welshjf]

By my reading of ssh.py and sshd(8), section "AUTHORIZED_KEYS FILE FORMAT", the risks being blocked by this username validation are:

• Double-quote: would close the command= option
• Backslash and comma: potentially risky because the parsing isn't clearly specified
• Whitespace: would prematurely terminate the username argument to gitosis-serve
• Shell special characters: unspecified whether sshd runs the command through a shell so best to assume it does; also the user is passed to hooks through the GITOSIS_USER environment variable
• Non-printable-ASCII characters: uncertain

The last two suggest that the exact set of safe characters is system- and perhaps even locale-dependent. Nonetheless, we can say for certain that what constitutes a valid username, hostname, or email address on any particular system does not enter into it.

I got bit by this, and I'm not the only one, so might I suggest the more permissive yet still conservative regexp:

^[a-zA-Z0-9@_.-]+$

Incidentally, this is closer to what one might have expected from reading the commit message on cbea1785d068bfb1e402234e08d8d74512a70c5e.

A risk would be if people have built hooks using GITOSIS_USER that rely on the current validation. Given that it's not documented as any sort of stable thing, I would suggest that such users should either be doing their own validation or else looking closely for any changes that might affect their assumptions before upgrading.