IEEE Std 1003.1-2001 and valid characters in usernames

The following information is based on current versions of Unix/Linux operating systems.

adduser and addgroup enforce conformity to IEEE Std 1003.1-2001, which allows only the following characters to appear in group and user names:

letters, digits, underscores, periods, at signs (@), dollar sign ($), and dashes.

The name may no start with a dash.

The "$" sign is allowed at the end of usernames (to conform with Samba).

IEEE Std 1003.1-2001 is one of the POSIX standards. To be portable across systems conforming to IEEE Std 1003.1-2001, the value is composed of characters from the portable filename character set.

POSIX compliance—and compatibility with other *NIX variants is one reason that adduser limits the characters in usernames.

But the default NAME REGEX is even more restrictive than POSIX portable filename character set:

With PAM, it is possible for any system administration to set up their own rules for usernames, so compliance with IEEE Std 1003.1-2001 is technically not an issue.

However, in most environments, these standards still do apply for a good reason.

CentOS server was recently found to have username which contained whitespaces. It is almost certain that some direct editing of password and shadow files was used to create such entry. The account is perfectly usable for logins:

a  :x:333:333::/tmp:/bin/bash

a  :$6$M2SivZHYmLUpWQf0$/LI4IPf/e.92Z.np1VLcIdCvQ1TmvSosEG8S/JjkypbpI9zXH/
For that reason, decision was made to add new test in Perl Operations Acceptance Testing (OAT) script to catch these unusual settings.
AUDIT-WARN Home directory for "a  " (/tmp) group-writable!

AUDIT-WARN Home directory for "a  " (/tmp) world-writable!

AUDIT-INFO Username "a  ": hashing-algorithm=SHA-512,
salt=M2SivZHYmLUpWQf0, hashed-password-and-salt=/LI4IPf/e.92Z.

AUDIT-PASS Correct length of encrypted password string for user "a  "
(86 for hashing-algorithm=SHA-512)

AUDIT-WARN Username "a  " contains characters non-conforming with
IEEE Std 1003.1-2001

AUDIT-INFO Password expiry status for "a  "
Last password change                                    : Jul 10, 2014
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : never
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7 
Note that standard Unix command would partially detect this problem too:
# pwck
invalid user name 'a  '
Linux OAT Script

Latest version of Linux Operations Acceptance Testing script are at these two URLs:

Linux OAT script in Perl

GIThub repository