case sensitivity, "Match User" and "AllowUsers"

Fri Feb 19 19:41:00 EST 2010

On Feb 18, 2010, at 2:51 PM, Corinna Vinschen wrote:

> On Feb 18 12:30, Ben Lindstrom wrote:
>> 
>> On Feb 18, 2010, at 11:36 AM, Hu, Eric wrote:
>> 
>>> Based on what I've seen, this is an OpenSSH issue.  My original post explains why.  If the config file says "AllowUsers user," why should any user that is successfully logged in based on this not execute all statements associated with "Match User user?"  The user name used for one is not being used for the other.
>>> 
>>> Just because we're only seeing it on Cygwin (at least thus far) doesn't mean it's a Cygwin issue.  If the problem is indeed use of mixed user names (as I've stated before, I personally don't know the code well enough to know for sure), I'd say it's an OpenSSH problem.  If there's some spec detailing exactly what getpwnam (and other various underlying calls OpenSSH is relying on) is supposed to do that Cygwin is violating, then maybe it's a Cygwin issue.  Even in this case though, it still looks to me like OpenSSH could be made more robust by not relying on such assumptions.
>> 
>> Think about this for a moment.. if I do  
>> 
>> pw = getpwnam("MoUrInG");
>> 
>> and I get back
>> 
>> pw->pw_name = "mouring"
>> 
>> Whose fault is it?  OpenSSH or the OS that it is running on? 
> 
> It's not Cygwin's fault.  

So you are saying that cygwin's getpw*() functions are written by Microsoft thus are closed source and not implemented via glibc?  If that is the case then you may have an argument.   If you are using getpw*() from glibc or an other cygwin maintained libraries then you've lost the argument since it is then cygwin's issue.

> Usernames on Windows *are* caseinsensitive.
> The password entry contains the name in one format, but you can write
> in in every case.  That's a property of the underlying system.

You do your community a disservice by propagating this misfeature.  OpenSSH isn't the only code base affected by this.  Off the top of my head mod_svn and apache's mod_access have similar features. So unless you've patched them (and every piece of code like them), and made every developer writing code on your platform aware of this difference there will be other instances of this issue that will cause someone massive heartburn.  

In the end, I have no say if this is accepted; I gave up that right when I walked away from being a commiter.  However, it doesn't stop me from feeling that it's fixing a symptom leaving the the core issue.

- Ben