case sensitivity, "Match User" and "AllowUsers"

Corinna Vinschen vinschen at
Tue Feb 2 21:53:56 EST 2010

On Feb  2 11:25, Damien Miller wrote:
> [+Corinna Vinschen]

Thanks, but not necessary, I'm subscribed to this list anyway.

> It looks like Windows is matching users case-insensitively. OpenSSH
> always performs case-sensitive matching (following Unix). If this is
> the case, then perhaps we should tolower() all usernames on Windows?

That might be a good idea.  I was surprised to read what Eric wrote, but
it turned out that this is just a result of how getpwnam is implemented
in Cygwin.  Given Windows' underlying case-insensitivity in terms of
user and group names, the getpwnam function checks the user name using
strcasecmp.  The returned struct passwd contain the name in the original
case, though, and that in turn is used in match_user() to check the user

The most simple patch would be

Index: match.c
RCS file: /cvs/openssh/match.c,v
retrieving revision 1.26
diff -u -p -r1.26 match.c
--- match.c	10 Jun 2008 23:34:46 -0000	1.26
+++ match.c	2 Feb 2010 10:40:26 -0000
@@ -98,7 +98,7 @@ match_pattern(const char *s, const char 
 			return 0;
 		/* Check if the next character of the string is acceptable. */
-		if (*pattern != '?' && *pattern != *s)
+		if (*pattern != '?' && tolower (*pattern) != tolower (*s))
 			return 0;
 		/* Move to the next character, both in string and in pattern. */

Wouldn't that be acceptable for Unix as well, given that the username is
supposed not to contain capital letters anyway?  This function is also
used to compare hostnames, and hostnames are usually case-insensitive as
well, so this would be the right thing to do to allow arbitrary host
strings.  Is there any advantage to do the pattern matching case-sensitive?

Alternatively, wouldn't it make sense to add a parameter to
match_pattern and match_pattern_list to control case-sensitivity when
calling these functions?


Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

More information about the openssh-unix-dev mailing list