Some windows 2012 users usernames get case-sensitive on Cygwin sshd Version Cygwin 2.5.1 and OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016 Some users work with any case username Example: Windows Active Directory Username: MyUser SSH username not working: myUser Here are the debug log statements sshd debug log debug1: KEX done debug3: receive packet: type 5 debug3: send packet: type 6 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 367 Login name myUser does not match stored username MyUser Invalid user myUser from 10.175.2.139 input_userauth_request: invalid user myUser debug2: input_userauth_request: try method none Failed none for invalid user myUser from 10.175.2.139 port 64504 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug3: send packet: type 51 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method keyboard-interactive debug1: attempt 1 failures 0 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=myUser devs= debug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for invalid user myUser from 10.175.2.139 port 64504 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug3: send packet: type 51 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method password debug1: attempt 2 failures 1 debug2: input_userauth_request: try method password
What do you mean by "some usernames"? Being written for Unix first and foremost- OpenSSH treats all usernames with case-sensitivity internally, though the underlying operating system might have different rules.
(In reply to Damien Miller from comment #1) > What do you mean by "some usernames"? Being written for Unix first > and foremost- OpenSSH treats all usernames with case-sensitivity > internally, though the underlying operating system might have > different rules. Damien Thanks for your response. You are absolutely right, I agree with your response, but we have this installed on windows server. Windows user names are case-insensitive, and we are able login with different username cases most of the time, but some usernames become case sensitive, and openSSH explicitly requires specific username case. This inconsistent behavior is causing us lot of problems. Is there a setting in sshd-config or somewhere where we can specify all usernames to be case-insensitive explicitly?
Hi Damien, Thanks for replying. I can't agree with you more. The situation that Arvindo is describing happens in Cygwin installed in Windows. Here's a simple explanation on what we've experienced... Initially, getpwnam will return the username in the case that it was supplied in e.g. "jediknight" will return "jediknight" or "Jedikight" will return "Jediknight" then several days or weeks after...getpwnam will start returning the username in a specific case e.g. "JEDIknight" which does not match active directory's (AD). If it matches active directory's then all is well since we will just consistently follow the case that was specified there. Weirder still it can change to "JediKnight", my guess is it has something to do with the Windows login but I don't exactly know how it happens. The thing is we don't generate "/etc/passwd" since we rely in Cygwin authenticating the user in AD. Although it is one workaround, the problem that we have with that is that if a new user was created by the client they might experience the issue again unless a new passwd is generated. The thing is we wanted to make it simple for them e.g. not generate passwd when they create a user. Anyways our idea is to have openssh have a flag to enable/disable username case sensitivity. By default it is case sensitive and it is applied under Cygwin ifdef. I created a pull request for you to review. Thanks a lot! Regards, Jedd
Btw here's the pull request of our proposed feature https://github.com/openssh/openssh-portable/pull/78
This causing us production issues, as users are unable to login with different username case.
I don't think we'll add a configuration option for this, as it would need to touch quite a few more places or risk causing configuration-parsing ambiguity that could have security consequences (e.g. "Match user"). Cc'ing Corinna, who is one of the Cygwin developers and who will know much more about what is going on behind getpwnam().
Testing the username case-insensitive was discussed long ago and we decided not to do that. Check commit https://github.com/openssh/openssh-portable/commit/acc9b29486dfd649dfda474e5c1a03b317449f1c I don't know what's going on on your machine, but Cygwin does NOT change usernames willy-nilly. The username stored in Cygwin is the one either returned by Windows via the WIn32 function LookupAccountSidW, or it is the name as stored in /etc/passwd, should this file exist and /etc/nsswitch.conf allows access (which is the default). Corinna
Corinna points out that this was indeed fixed: In fact we *did* fix it in OpenSSH 8.0 so that usernames as well as groupnames are now matched case-insensitive on Cygwin, here's the list of commits: f02afa350afa Revert "[auth.c] On Cygwin, refuse usernames that have differences in case" bed1d4369880 Revert unintended parts of previous commit. 37638c752041 Cygwin: implement case-insensitive Unicode user and group name matching daa7505aadca Use Cygwin-specific matching only for users+groups. a212107bfdf4 Replace alloca with xcalloc.
closing resolved bugs as of 8.6p1 release