case sensitivity, "Match User" and "AllowUsers"

Ben Lindstrom mouring at eviladmin.org
Fri Feb 19 04:02:03 EST 2010


On Feb 18, 2010, at 9:59 AM, Corinna Vinschen wrote:
> [..]
> This sounds like a good idea.  Alternatively:
> 
> Index: auth2.c
> ===================================================================
> RCS file: /cvs/openssh/auth2.c,v
> retrieving revision 1.151
> diff -u -p -r1.151 auth2.c
> --- auth2.c	22 Jun 2009 06:11:07 -0000	1.151
> +++ auth2.c	18 Feb 2010 15:58:02 -0000
> @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32
> 		/* setup auth context */
> 		authctxt->pw = PRIVSEP(getpwnamallow(user));
> 		authctxt->user = xstrdup(user);
> -		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
> +		if (authctxt->pw && strcmp(service, "ssh-connection")==0
> +		    && !strcmp (user, authctxt->pw->pw_name)) {
> 			authctxt->valid = 1;
> 			debug2("input_userauth_request: setting up authctxt for %s", user);
> 		} else {
> 
> This would disallow any login using the username in a case which
> differs from the case used in /etc/passwd.  And it wouldn't hurt
> any casesensitive system either.
> 
> Damien, would that be ok?

I'm sorry, but this feel like a bad idea.  Why are we not fixing it in cygwin?  This seems like it would be an issue for any application that cares about comparing the username against the password entry.  

- Ben


More information about the openssh-unix-dev mailing list