case sensitivity, "Match User" and "AllowUsers"

Damien Miller djm at mindrot.org
Tue Feb 2 11:25:44 EST 2010


[+Corinna Vinschen]

It looks like Windows is matching users case-insensitively. OpenSSH
always performs case-sensitive matching (following Unix). If this is
the case, then perhaps we should tolower() all usernames on Windows?

-d

On Mon, 1 Feb 2010, Hu, Eric wrote:

> Hello,
>
> I sent this last week before signing up for the list, but haven't seen
> it in the archives, so I'm guessing it got discarded either as spam
> or HTML (sorry about that). In any case, the following was sent to
> comp.security.ssh early last week and I have gotten no response there.
> Can anyone here shed some light?
> 
> ------------------------------------------
> 
> Hello, 
>
> I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH
> version is 5.1. cygrunsrv version is 1.34. I have the following in my
> sshd_config file.
>
> Match User user 
>     ForceCommand start.sh 
>
> What some users have discovered is that they can log in with
> arbitrarily mixed case user names. For instance, logging in as "usEr"
> is exactly the same as logging in with "USer" as well as the other
> fourteen possible combinations for a four-letter username. Further,
> only the all-lowercase version invokes "start.sh." I thought I might
> be able to solve this with the following.
>
> AllowUsers user
>
> I thought this would force sshd to only let one case combination
> through. However, all case combinations can still log in and
> "start.sh" is not getting executed. In other words, there is a
> discrepancy between "Match User" and "AllowUsers" in this regard.
> Does anyone have any idea how to get around this? I don't want to add
> 2^(length of user name) "Match User" entries to the sshd_config file
> for every user, which is the only remedy at the moment.


More information about the openssh-unix-dev mailing list