| Summary: | Some Windows username get case-sensitive in sshd | ||
|---|---|---|---|
| Product: | Portable OpenSSH | Reporter: | Arvindo <arvindo.kinny> |
| Component: | sshd | Assignee: | Assigned to nobody <unassigned-bugs> |
| Status: | CLOSED FIXED | ||
| Severity: | major | CC: | djm, jedd.cuison, vinschen |
| Priority: | P1 | ||
| Version: | 7.2p2 | ||
| Hardware: | All | ||
| OS: | Cygwin on NT/2k/Win7-11 | ||
|
Description
Arvindo
2017-08-25 04:33:17 AEST
What do you mean by "some usernames"? Being written for Unix first and foremost- OpenSSH treats all usernames with case-sensitivity internally, though the underlying operating system might have different rules. (In reply to Damien Miller from comment #1) > What do you mean by "some usernames"? Being written for Unix first > and foremost- OpenSSH treats all usernames with case-sensitivity > internally, though the underlying operating system might have > different rules. Damien Thanks for your response. You are absolutely right, I agree with your response, but we have this installed on windows server. Windows user names are case-insensitive, and we are able login with different username cases most of the time, but some usernames become case sensitive, and openSSH explicitly requires specific username case. This inconsistent behavior is causing us lot of problems. Is there a setting in sshd-config or somewhere where we can specify all usernames to be case-insensitive explicitly? Hi Damien, Thanks for replying. I can't agree with you more. The situation that Arvindo is describing happens in Cygwin installed in Windows. Here's a simple explanation on what we've experienced... Initially, getpwnam will return the username in the case that it was supplied in e.g. "jediknight" will return "jediknight" or "Jedikight" will return "Jediknight" then several days or weeks after...getpwnam will start returning the username in a specific case e.g. "JEDIknight" which does not match active directory's (AD). If it matches active directory's then all is well since we will just consistently follow the case that was specified there. Weirder still it can change to "JediKnight", my guess is it has something to do with the Windows login but I don't exactly know how it happens. The thing is we don't generate "/etc/passwd" since we rely in Cygwin authenticating the user in AD. Although it is one workaround, the problem that we have with that is that if a new user was created by the client they might experience the issue again unless a new passwd is generated. The thing is we wanted to make it simple for them e.g. not generate passwd when they create a user. Anyways our idea is to have openssh have a flag to enable/disable username case sensitivity. By default it is case sensitive and it is applied under Cygwin ifdef. I created a pull request for you to review. Thanks a lot! Regards, Jedd Btw here's the pull request of our proposed feature https://github.com/openssh/openssh-portable/pull/78 This causing us production issues, as users are unable to login with different username case. I don't think we'll add a configuration option for this, as it would need to touch quite a few more places or risk causing configuration-parsing ambiguity that could have security consequences (e.g. "Match user"). Cc'ing Corinna, who is one of the Cygwin developers and who will know much more about what is going on behind getpwnam(). Testing the username case-insensitive was discussed long ago and we decided not to do that. Check commit https://github.com/openssh/openssh-portable/commit/acc9b29486dfd649dfda474e5c1a03b317449f1c I don't know what's going on on your machine, but Cygwin does NOT change usernames willy-nilly. The username stored in Cygwin is the one either returned by Windows via the WIn32 function LookupAccountSidW, or it is the name as stored in /etc/passwd, should this file exist and /etc/nsswitch.conf allows access (which is the default). Corinna Corinna points out that this was indeed fixed: In fact we *did* fix it in OpenSSH 8.0 so that usernames as well as groupnames are now matched case-insensitive on Cygwin, here's the list of commits: f02afa350afa Revert "[auth.c] On Cygwin, refuse usernames that have differences in case" bed1d4369880 Revert unintended parts of previous commit. 37638c752041 Cygwin: implement case-insensitive Unicode user and group name matching daa7505aadca Use Cygwin-specific matching only for users+groups. a212107bfdf4 Replace alloca with xcalloc. closing resolved bugs as of 8.6p1 release |