case sensitivity, "Match User" and "AllowUsers"

Hu, Eric eric.hu at harman.com
Fri Feb 19 06:13:37 EST 2010 

It's not clear to me.  One name is getting sent to "AllowUsers" and another is getting sent to "Match User."  That's OpenSSH's doing no matter how you slice it.  getpwnam looks like it gets called before both.  Again, I couldn't find the "Match User" code so I don't know this for sure, but I can't see why you would execute "Match User" statements before knowing whether the user is allowed.  If getpwnam is indeed called before both, why would pw->pw_name be used for one config statement, but not the other?  I would think either "AllowUsers" should be using "const char *login" or "Match User" should be using pw->pw_name.

-----Original Message-----
From: Ben Lindstrom [mailto:mouring at eviladmin.org] 
Sent: Thursday, February 18, 2010 10:31 AM
To: Hu, Eric
Cc: openssh openssh
Subject: Re: case sensitivity, "Match User" and "AllowUsers"


On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote:

> Based on what I've seen, this is an OpenSSH issue.  My original post explains why.  If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?"  The user name used for one is not being used for the other.
> 
> Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue.  If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem.  If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue.  Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions.

Think about this for a moment.. if I do  

pw = getpwnam("MoUrInG");

and I get back

pw->pw_name = "mouring"

Whose fault is it?  OpenSSH or the OS that it is running on? 

This is what this boils down to is getpwnam() on cygwin must not be returning pw->pw_name = (const char *login).  

This being stated..  Do we have any other examples of UNIX, UNIX-like, or UNIX-emulation setups that fail to honor this very simple case?

Sadly, the POSIX description seems to leave this as a gray area like a of POSIX stuff does.  However, it feels pretty clear what the correct behavior should be.

- Ben

More information about the openssh-unix-dev mailing list