case sensitivity, "Match User" and "AllowUsers"

Hu, Eric eric.hu at harman.com
Fri Feb 19 04:36:49 EST 2010


Based on what I've seen, this is an OpenSSH issue.  My original post explains why.  If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?"  The user name used for one is not being used for the other.

Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue.  If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem.  If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue.  Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions.
 
-----Original Message-----
From: openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org [mailto:openssh-unix-dev-bounces+eric.hu=harman.com at mindrot.org] On Behalf Of Ben Lindstrom
Sent: Thursday, February 18, 2010 9:02 AM
To: openssh openssh
Subject: Re: case sensitivity, "Match User" and "AllowUsers"


On Feb 18, 2010, at 9:59 AM, Corinna Vinschen wrote:
> [..]
> This sounds like a good idea.  Alternatively:
> 
> Index: auth2.c
> ===================================================================
> RCS file: /cvs/openssh/auth2.c,v
> retrieving revision 1.151
> diff -u -p -r1.151 auth2.c
> --- auth2.c	22 Jun 2009 06:11:07 -0000	1.151
> +++ auth2.c	18 Feb 2010 15:58:02 -0000
> @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32
> 		/* setup auth context */
> 		authctxt->pw = PRIVSEP(getpwnamallow(user));
> 		authctxt->user = xstrdup(user);
> -		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
> +		if (authctxt->pw && strcmp(service, "ssh-connection")==0
> +		    && !strcmp (user, authctxt->pw->pw_name)) {
> 			authctxt->valid = 1;
> 			debug2("input_userauth_request: setting up authctxt for %s", user);
> 		} else {
> 
> This would disallow any login using the username in a case which
> differs from the case used in /etc/passwd.  And it wouldn't hurt
> any casesensitive system either.
> 
> Damien, would that be ok?

I'm sorry, but this feel like a bad idea.  Why are we not fixing it in cygwin?  This seems like it would be an issue for any application that cares about comparing the username against the password entry.  

- Ben
_______________________________________________
openssh-unix-dev mailing list
openssh-unix-dev at mindrot.org
https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev


More information about the openssh-unix-dev mailing list