case sensitivity, "Match User" and "AllowUsers"

[Damien Miller]

On Thu, 18 Feb 2010, Corinna Vinschen wrote:

> This sounds like a good idea.  Alternatively:
> 
> Index: auth2.c
> ===================================================================
> RCS file: /cvs/openssh/auth2.c,v
> retrieving revision 1.151
> diff -u -p -r1.151 auth2.c
> --- auth2.c	22 Jun 2009 06:11:07 -0000	1.151
> +++ auth2.c	18 Feb 2010 15:58:02 -0000
> @@ -234,7 +234,8 @@ input_userauth_request(int type, u_int32
>  		/* setup auth context */
>  		authctxt->pw = PRIVSEP(getpwnamallow(user));
>  		authctxt->user = xstrdup(user);
> -		if (authctxt->pw && strcmp(service, "ssh-connection")==0) {
> +		if (authctxt->pw && strcmp(service, "ssh-connection")==0
> +		    && !strcmp (user, authctxt->pw->pw_name)) {
>  			authctxt->valid = 1;
>  			debug2("input_userauth_request: setting up authctxt for %s", user);
>  		} else {
> 
> This would disallow any login using the username in a case which
> differs from the case used in /etc/passwd.  And it wouldn't hurt
> any casesensitive system either.
> 
> Damien, would that be ok?

Unfortunately, that patch only deals with SSHv2 connections. How about
this?

Index: auth.c
===================================================================
RCS file: /var/cvs/openssh/auth.c,v
retrieving revision 1.136
diff -u -r1.136 auth.c
--- auth.c	11 Feb 2010 22:25:29 -0000	1.136
+++ auth.c	27 Feb 2010 16:36:25 -0000
@@ -535,6 +535,13 @@
 	    get_canonical_hostname(options.use_dns), get_remote_ipaddr());
 
 	pw = getpwnam(user);
+#if HAVE_CYGWIN
+	if (strcmp(user, pw->pw_name) != 0) {
+		logit("Login name %.100s does not match stored username %.100s",
+		    user, pw->pw_name);
+		pw = NULL;
+	}
+#endif
 	if (pw == NULL) {
 		logit("Invalid user %.100s from %.100s",
 		    user, get_remote_ipaddr());

I'm a little worried about enabling this outside of Cygwin, since
I'm not sure whether multiple UID-sharing accounts are guaranteed to
deterministically return the username that was used to look them up.

-d