case sensitivity, "Match User" and "AllowUsers"
Hu, Eric
eric.hu at harman.com
Tue Feb 2 06:18:08 EST 2010
Hello,
I sent this last week before signing up for the list, but haven't seen it in the archives, so I'm guessing it got discarded either as spam or HTML (sorry about that). In any case, the following was sent to comp.security.ssh early last week and I have gotten no response there. Can anyone here shed some light?
Thanks,
Eric
------------------------------------------
Hello,
I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH version is 5.1. cygrunsrv version is 1.34.
I have the following in my sshd_config file.
Match User user
ForceCommand start.sh
What some users have discovered is that they can log in with arbitrarily mixed case user names. For instance, logging in as "usEr" is exactly the same as logging in with "USer" as well as the other fourteen possible combinations for a four-letter username. Further, only the all-lowercase version invokes "start.sh." I thought I might be able to solve this with the following.
AllowUsers user
I thought this would force sshd to only let one case combination through. However, all case combinations can still log in and "start.sh" is not getting executed. In other words, there is a discrepancy between "Match User" and "AllowUsers" in this regard. Does anyone have any idea how to get around this? I don't want to add 2^(length of user name) "Match User" entries to the sshd_config file for every user, which is the only remedy at the moment.
Thanks
More information about the openssh-unix-dev
mailing list