case sensitivity, "Match User" and "AllowUsers"

Corinna Vinschen vinschen at redhat.com
Tue Feb 2 22:39:02 EST 2010 

On Feb  2 11:53, Corinna Vinschen wrote:
> On Feb  2 11:25, Damien Miller wrote:
> > [+Corinna Vinschen]
> 
> Thanks, but not necessary, I'm subscribed to this list anyway.
> 
> > It looks like Windows is matching users case-insensitively. OpenSSH
> > always performs case-sensitive matching (following Unix). If this is
> > the case, then perhaps we should tolower() all usernames on Windows?
> 
> That might be a good idea.  I was surprised to read what Eric wrote, but
> it turned out that this is just a result of how getpwnam is implemented
> in Cygwin.  Given Windows' underlying case-insensitivity in terms of
> user and group names, the getpwnam function checks the user name using
> strcasecmp.  The returned struct passwd contain the name in the original
> case, though, and that in turn is used in match_user() to check the user
> name.
> 
> The most simple patch would be
> 
> Index: match.c
> ===================================================================
> RCS file: /cvs/openssh/match.c,v
> retrieving revision 1.26
> diff -u -p -r1.26 match.c
> --- match.c	10 Jun 2008 23:34:46 -0000	1.26
> +++ match.c	2 Feb 2010 10:40:26 -0000
> @@ -98,7 +98,7 @@ match_pattern(const char *s, const char 
>  			return 0;
>  
>  		/* Check if the next character of the string is acceptable. */
> -		if (*pattern != '?' && *pattern != *s)
> +		if (*pattern != '?' && tolower (*pattern) != tolower (*s))
>  			return 0;
>  
>  		/* Move to the next character, both in string and in pattern. */
> 
> Wouldn't that be acceptable for Unix as well, given that the username is
> supposed not to contain capital letters anyway?  This function is also
> used to compare hostnames, and hostnames are usually case-insensitive as
> well, so this would be the right thing to do to allow arbitrary host
> strings.  Is there any advantage to do the pattern matching case-sensitive?
> 
> Alternatively, wouldn't it make sense to add a parameter to
> match_pattern and match_pattern_list to control case-sensitivity when
> calling these functions?

Of course, using tolower has an obvious disadvantage.  It doesn't work
for multibyte codesets, like UTF-8.  Usernames are stored in UTF-16 in
Windows and consequentially they can contain any character from the
entire Unicode range.  So, after all, it might be more feasible to
convert the string and the pattern to wide char, call towlower on the
string, and convert back to multibyte, before calling match_pattern.


Corinna

-- 
Corinna Vinschen
Cygwin Project Co-Leader
Red Hat

More information about the openssh-unix-dev mailing list