case sensitivity, "Match User" and "AllowUsers"

Tue Feb 2 11:52:27 EST 2010

Does that mean "AllowUsers" is going through Windows and "Match User" is going through the OpenSSH machinery (sorry, I've read the docs reasonably well, but haven't looked at the code at all)?

Not being very familiar with the code, it's hard for me to recommend a solution.  Had I not discovered this oddity, I would've guessed the order of events is something like 

1) OpenSSH gets authentication information including user name 
2) OpenSSH checks Allow/Deny directives in sshd_config 
3) If user passes in step 2, send info to Windows 
4) If Windows says authentication passes, OpenSSH runs through Match clauses

Using tolower() at step 4 (ie, before running Match clauses) would probably work.  Not knowing the broader implications, it makes more sense to me for OpenSSH to report a failure at step 2.

-----Original Message-----
From: Damien Miller [mailto:djm at mindrot.org] 
Sent: Monday, February 01, 2010 4:26 PM
To: Hu, Eric
Cc: openssh-unix-dev at mindrot.org; Corinna Vinschen
Subject: Re: case sensitivity, "Match User" and "AllowUsers"

[+Corinna Vinschen]

It looks like Windows is matching users case-insensitively. OpenSSH
always performs case-sensitive matching (following Unix). If this is
the case, then perhaps we should tolower() all usernames on Windows?

-d

On Mon, 1 Feb 2010, Hu, Eric wrote:

> Hello,
>
> I sent this last week before signing up for the list, but haven't seen
> it in the archives, so I'm guessing it got discarded either as spam
> or HTML (sorry about that). In any case, the following was sent to
> comp.security.ssh early last week and I have gotten no response there.
> Can anyone here shed some light?
> 
> ------------------------------------------
> 
> Hello, 
>
> I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH
> version is 5.1. cygrunsrv version is 1.34. I have the following in my
> sshd_config file.
>
> Match User user 
>     ForceCommand start.sh 
>
> What some users have discovered is that they can log in with
> arbitrarily mixed case user names. For instance, logging in as "usEr"
> is exactly the same as logging in with "USer" as well as the other
> fourteen possible combinations for a four-letter username. Further,
> only the all-lowercase version invokes "start.sh." I thought I might
> be able to solve this with the following.
>
> AllowUsers user
>
> I thought this would force sshd to only let one case combination
> through. However, all case combinations can still log in and
> "start.sh" is not getting executed. In other words, there is a
> discrepancy between "Match User" and "AllowUsers" in this regard.
> Does anyone have any idea how to get around this? I don't want to add
> 2^(length of user name) "Match User" entries to the sshd_config file
> for every user, which is the only remedy at the moment.