* sshd: computer name's case must match? @ 2019-02-12 23:07 Bill Stewart 2019-02-13 1:35 ` Andrey Repin 2019-02-13 10:32 ` Corinna Vinschen 0 siblings, 2 replies; 20+ messages in thread From: Bill Stewart @ 2019-02-12 23:07 UTC (permalink / raw) To: cygwin Good day, I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM - S4U logon - works great!). One thing I've noticed is that if I use ssh log onto a remote domain-joined machine (e.g., connect with COMPUTER+localname), the 'COMPUTER' prefix must be uppercase - if I specify 'computer+LocalName', the user is unknown. This doesn't seem to be the case if I change the username's case - 'COMPUTER+localname' also works. Is this by design or by accident? Thanks, Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-12 23:07 sshd: computer name's case must match? Bill Stewart @ 2019-02-13 1:35 ` Andrey Repin 2019-02-13 10:32 ` Corinna Vinschen 1 sibling, 0 replies; 20+ messages in thread From: Andrey Repin @ 2019-02-13 1:35 UTC (permalink / raw) To: Bill Stewart, cygwin Greetings, Bill Stewart! > I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM - > S4U logon - works great!). > One thing I've noticed is that if I use ssh log onto a remote > domain-joined machine (e.g., connect with COMPUTER+localname), the > 'COMPUTER' prefix must be uppercase - if I specify > 'computer+LocalName', the user is unknown. > This doesn't seem to be the case if I change the username's case - > 'COMPUTER+localname' also works. > Is this by design or by accident? With no authority on the matter I would say that it follows Kerberos domain names which are written in capital letters. -- With best regards, Andrey Repin Wednesday, February 13, 2019 4:19:00 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-12 23:07 sshd: computer name's case must match? Bill Stewart 2019-02-13 1:35 ` Andrey Repin @ 2019-02-13 10:32 ` Corinna Vinschen 2019-02-13 12:25 ` Corinna Vinschen 1 sibling, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 10:32 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1727 bytes --] On Feb 12 16:07, Bill Stewart wrote: > Good day, > > I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM - > S4U logon - works great!). > > One thing I've noticed is that if I use ssh log onto a remote > domain-joined machine (e.g., connect with COMPUTER+localname), the > 'COMPUTER' prefix must be uppercase - if I specify > 'computer+LocalName', the user is unknown. > > This doesn't seem to be the case if I change the username's case - > 'COMPUTER+localname' also works. > > Is this by design or by accident? sshd checks usernames case-sensitive against their name stored in the user DB. The problem that you can use differently cased usernames here is that the Windows function for checking the name is case- insensitive, so it takes the username any way it comes in and sshd eventually checks against the wrongly cased name. I fixed that partially in Cygwin by making sure that the account name stored in the internal passwd/group info is stored case-correct: https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc So if you have a domain DOMAIN and a user xyz $ getent passwd DoMaIn+XyZ Prior to the above patch it returned DOMAIN+XyZ:... Now it will return DOMAIN+xyz:... The problem is this: If the account is from another domain than the local machine or the machine domain, the call to LookupAccountSid to fix the account name won't fix the account name. Apparently the account name is cached on the local machine in exactly the same spelling as has been used when asking for the account the first time. I still have to find a way to workaround that. Thanks, Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 10:32 ` Corinna Vinschen @ 2019-02-13 12:25 ` Corinna Vinschen 2019-02-13 15:53 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 12:25 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 2002 bytes --] On Feb 13 11:32, Corinna Vinschen wrote: > On Feb 12 16:07, Bill Stewart wrote: > > Good day, > > > > I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM - > > S4U logon - works great!). > > > > One thing I've noticed is that if I use ssh log onto a remote > > domain-joined machine (e.g., connect with COMPUTER+localname), the > > 'COMPUTER' prefix must be uppercase - if I specify > > 'computer+LocalName', the user is unknown. > > > > This doesn't seem to be the case if I change the username's case - > > 'COMPUTER+localname' also works. > > > > Is this by design or by accident? > > sshd checks usernames case-sensitive against their name stored in the > user DB. The problem that you can use differently cased usernames > here is that the Windows function for checking the name is case- > insensitive, so it takes the username any way it comes in and > sshd eventually checks against the wrongly cased name. > > I fixed that partially in Cygwin by making sure that the account name > stored in the internal passwd/group info is stored case-correct: > https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc > > So if you have a domain DOMAIN and a user xyz > > $ getent passwd DoMaIn+XyZ > > Prior to the above patch it returned > > DOMAIN+XyZ:... > > Now it will return > > DOMAIN+xyz:... > > The problem is this: If the account is from another domain than the > local machine or the machine domain, the call to LookupAccountSid to fix > the account name won't fix the account name. > > Apparently the account name is cached on the local machine in exactly > the same spelling as has been used when asking for the account the first > time. I still have to find a way to workaround that. That should be fixed now as well. I uploaded new developer snaps to https://cygwin.com/snapshots/ and will generate YA test release later today. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 12:25 ` Corinna Vinschen @ 2019-02-13 15:53 ` Bill Stewart 2019-02-13 16:10 ` Corinna Vinschen 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-13 15:53 UTC (permalink / raw) To: cygwin On Wed, Feb 13, 2019 at 5:25 AM Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > > sshd checks usernames case-sensitive against their name stored in the > > user DB. The problem that you can use differently cased usernames > > here is that the Windows function for checking the name is case- > > insensitive, so it takes the username any way it comes in and > > sshd eventually checks against the wrongly cased name. > > > > I fixed that partially in Cygwin by making sure that the account name > > stored in the internal passwd/group info is stored case-correct: > > https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc > > > > So if you have a domain DOMAIN and a user xyz > > > > $ getent passwd DoMaIn+XyZ > > > > Prior to the above patch it returned > > > > DOMAIN+XyZ:... > > > > Now it will return > > > > DOMAIN+xyz:... > > > > The problem is this: If the account is from another domain than the > > local machine or the machine domain, the call to LookupAccountSid to fix > > the account name won't fix the account name. > > > > Apparently the account name is cached on the local machine in exactly > > the same spelling as has been used when asking for the account the first > > time. I still have to find a way to workaround that. > > That should be fixed now as well. I uploaded new developer snaps to > https://cygwin.com/snapshots/ and will generate YA test release later > today. Thanks for taking a look at it. Now the problem is that the username must be specified with the correct case. It used to work with COMPUTERNAME+username - where 'username' might contain an uppercase character, but I could type it in all lower-case. Now I have to type the username in all correct case, which seems unexpected. From a Windows perspective, usernames are case-retentive but not case-sensitive, so this behavior seems unexpected. Expected behavior: Ignore case in both computer names and user names. Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 15:53 ` Bill Stewart @ 2019-02-13 16:10 ` Corinna Vinschen 2019-02-13 16:24 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 16:10 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 2431 bytes --] On Feb 13 08:53, Bill Stewart wrote: > On Wed, Feb 13, 2019 at 5:25 AM Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > > > sshd checks usernames case-sensitive against their name stored in the > > > user DB. The problem that you can use differently cased usernames > > > here is that the Windows function for checking the name is case- > > > insensitive, so it takes the username any way it comes in and > > > sshd eventually checks against the wrongly cased name. > > > > > > I fixed that partially in Cygwin by making sure that the account name > > > stored in the internal passwd/group info is stored case-correct: > > > https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc > > > > > > So if you have a domain DOMAIN and a user xyz > > > > > > $ getent passwd DoMaIn+XyZ > > > > > > Prior to the above patch it returned > > > > > > DOMAIN+XyZ:... > > > > > > Now it will return > > > > > > DOMAIN+xyz:... > > > > > > The problem is this: If the account is from another domain than the > > > local machine or the machine domain, the call to LookupAccountSid to fix > > > the account name won't fix the account name. > > > > > > Apparently the account name is cached on the local machine in exactly > > > the same spelling as has been used when asking for the account the first > > > time. I still have to find a way to workaround that. > > > > That should be fixed now as well. I uploaded new developer snaps to > > https://cygwin.com/snapshots/ and will generate YA test release later > > today. > > Thanks for taking a look at it. > > Now the problem is that the username must be specified with the correct case. > > It used to work with COMPUTERNAME+username - where 'username' might > contain an uppercase character, but I could type it in all lower-case. > > Now I have to type the username in all correct case, which seems unexpected. > > >From a Windows perspective, usernames are case-retentive but not > case-sensitive, so this behavior seems unexpected. > > Expected behavior: Ignore case in both computer names and user names. This can't work correctly with OpenSSH. The decision to allow only the correct case in OpenSSH was made back in 2010, because otherwise we would need a lot of special rules in OpenSSH just for Cygwin. Sorry, but that's how it is. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 16:10 ` Corinna Vinschen @ 2019-02-13 16:24 ` Bill Stewart 2019-02-13 16:26 ` Corinna Vinschen 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-13 16:24 UTC (permalink / raw) To: cygwin On Wed, Feb 13, 2019 at 9:10 AM Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > This can't work correctly with OpenSSH. The decision to allow only > the correct case in OpenSSH was made back in 2010, because otherwise > we would need a lot of special rules in OpenSSH just for Cygwin. > Sorry, but that's how it is. Thanks for the explanation -- this is understandable. In that case, the former arrangement before the patch was preferable. That is: For DOMAIN+username or COMPUTERNAME+username, the part before the "+" must be UPPERCASE, but the username is not case-sensitive. IMO This is the simplest and most straightforward arrangement. Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 16:24 ` Bill Stewart @ 2019-02-13 16:26 ` Corinna Vinschen 2019-02-13 17:43 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 16:26 UTC (permalink / raw) To: Bill Stewart; +Cc: cygwin [-- Attachment #1: Type: text/plain, Size: 942 bytes --] On Feb 13 09:23, Bill Stewart wrote: > On Wed, Feb 13, 2019 at 9:10 AM Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > > This can't work correctly with OpenSSH. The decision to allow only > > the correct case in OpenSSH was made back in 2010, because otherwise > > we would need a lot of special rules in OpenSSH just for Cygwin. > > Sorry, but that's how it is. > > Thanks for the explanation -- this is understandable. > > In that case, the former arrangement before the patch was preferable. > > That is: For DOMAIN+username or COMPUTERNAME+username, the part before > the "+" must be UPPERCASE, but the username is not case-sensitive. > > IMO This is the simplest and most straightforward arrangement. No, that was a bug. With case insenitive usernames, the pattern matching in OpenSSH won't work and you create a potential security problem. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 16:26 ` Corinna Vinschen @ 2019-02-13 17:43 ` Bill Stewart 2019-02-13 17:55 ` Corinna Vinschen 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-13 17:43 UTC (permalink / raw) To: cygwin On Wed, Feb 13, 2019 at 9:26 AM Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > No, that was a bug. With case insenitive usernames, the pattern > matching in OpenSSH won't work and you create a potential security > problem. I see - interoperability issue. Therefore it becomes imperative on the Windows side to match username case exactly and we need to explain this. However I would say that the case of the domain or computername shouldn't matter? I just tested with cygwin1.dll (13 Feb 2019) and this worked: ssh COMPUTERNAME+username@computername however this didn't work: ssh computername+username@computername Am I not understanding something? Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 17:43 ` Bill Stewart @ 2019-02-13 17:55 ` Corinna Vinschen 2019-02-13 18:13 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 17:55 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1210 bytes --] On Feb 13 10:43, Bill Stewart wrote: > On Wed, Feb 13, 2019 at 9:26 AM Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > No, that was a bug. With case insenitive usernames, the pattern > > matching in OpenSSH won't work and you create a potential security > > problem. > > I see - interoperability issue. > > Therefore it becomes imperative on the Windows side to match username > case exactly and we need to explain this. > > However I would say that the case of the domain or computername > shouldn't matter? > > I just tested with cygwin1.dll (13 Feb 2019) and this worked: > > ssh COMPUTERNAME+username@computername > > however this didn't work: > > ssh computername+username@computername > > Am I not understanding something? The complete string "domain+samaccountname" is the Cygwin username, see the output of `getent passwd <user>' The entire Cygwin username should always use the same case, otherwise case sensitive pattern matching on the name returned in the passwd name field won't work. Play with `getent passwd' with the latest and the previous Cygwin DLL. That should give you an idea. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 17:55 ` Corinna Vinschen @ 2019-02-13 18:13 ` Bill Stewart 2019-02-13 20:25 ` Corinna Vinschen 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-13 18:13 UTC (permalink / raw) To: cygwin On Wed, Feb 13, 2019 at 10:56 AM Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > The complete string "domain+samaccountname" is the Cygwin username, > see the output of `getent passwd <user>' The entire Cygwin username > should always use the same case, otherwise case sensitive pattern > matching on the name returned in the passwd name field won't work. Thank you. Just so I understand the specifics of when I want to specify the 'destination' parameter using ssh: (a) Domain or computer name portion to the left of the "+" must always be uppercase (b) Username after "+" sign (or username alone, without "+" sign) must match case exactly Questions: 1. Are the above two statements (a) and (b) complete/correct? 2. With regards to (a), are there any cases where the domain or computer name is not uppercase? Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 18:13 ` Bill Stewart @ 2019-02-13 20:25 ` Corinna Vinschen 2019-02-13 20:55 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-13 20:25 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1322 bytes --] On Feb 13 11:13, Bill Stewart wrote: > On Wed, Feb 13, 2019 at 10:56 AM Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > The complete string "domain+samaccountname" is the Cygwin username, > > see the output of `getent passwd <user>' The entire Cygwin username > > should always use the same case, otherwise case sensitive pattern > > matching on the name returned in the passwd name field won't work. > > Thank you. Just so I understand the specifics of when I want to > specify the 'destination' parameter using ssh: > > (a) Domain or computer name portion to the left of the "+" must always > be uppercase No, the case must match the case of the domain or computername. > (b) Username after "+" sign (or username alone, without "+" sign) must > match case exactly > > Questions: > > 1. Are the above two statements (a) and (b) complete/correct? > > 2. With regards to (a), are there any cases where the domain or > computer name is not uppercase? Yes. In my domain I have four machines using all-lowercase machine name for no apparent reason. One is a Linux machine, one is a Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines. All others, including the Windows 8 machines, are all uppercase. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 20:25 ` Corinna Vinschen @ 2019-02-13 20:55 ` Bill Stewart 2019-02-13 22:50 ` Andrey Repin 2019-02-14 13:14 ` Corinna Vinschen 0 siblings, 2 replies; 20+ messages in thread From: Bill Stewart @ 2019-02-13 20:55 UTC (permalink / raw) To: cygwin On Wed, Feb 13, 2019 at 1:25 PM Corinna Vinschen <corinna-cygwin@cygwin.com> wrote: > > (a) Domain or computer name portion to the left of the "+" must always > > be uppercase > > No, the case must match the case of the domain or computername. > > > (b) Username after "+" sign (or username alone, without "+" sign) must > > match case exactly > > > > Questions: > > > > 1. Are the above two statements (a) and (b) complete/correct? > > > > 2. With regards to (a), are there any cases where the domain or > > computer name is not uppercase? > > Yes. In my domain I have four machines using all-lowercase machine > name for no apparent reason. One is a Linux machine, one is a > Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines. > All others, including the Windows 8 machines, are all uppercase. The computer or domain name case inconsistency would seem to be a source of confusion, mainly because on the Windows side we are case-retentive but not case-sensitive, and it is not immediately obvious which case will apply in the case of a computer or domain name. According to: http://pubs.opengroup.org/onlinepubs/9699919799/ - > 3.437 User Name - A string that is used to identify a user; > see also User Database. To be portable across systems > conforming to POSIX.1-2017, the value is composed of > characters from the portable filename character set. The > <hyphen-minus> character should not be used as the first > character of a portable user name. > > 3.282 Portable Filename Character Set > > The set of characters from which portable filenames are > constructed. > > A B C D E F G H I J K L M N O P Q R S T U V W X Y Z > a b c d e f g h i j k l m n o p q r s t u v w x y z > 0 1 2 3 4 5 6 7 8 9 . _ - > > The last three characters are the <period>, <underscore>, > and <hyphen-minus> characters, respectively. From this reference, it seems that a POSIX-compliant username cannot contain the + character? So my suggestion is for Cygwin to convert the name part before the + automatically to upper (or lower) case. Thoughts? Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 20:55 ` Bill Stewart @ 2019-02-13 22:50 ` Andrey Repin 2019-02-14 13:14 ` Corinna Vinschen 1 sibling, 0 replies; 20+ messages in thread From: Andrey Repin @ 2019-02-13 22:50 UTC (permalink / raw) To: Bill Stewart, cygwin Greetings, Bill Stewart! Preface: Please teach your mail agent to not quote raw email addresses. >> > (a) Domain or computer name portion to the left of the "+" must always >> > be uppercase >> >> No, the case must match the case of the domain or computername. >> >> > (b) Username after "+" sign (or username alone, without "+" sign) must >> > match case exactly >> > >> > Questions: >> > >> > 1. Are the above two statements (a) and (b) complete/correct? >> > >> > 2. With regards to (a), are there any cases where the domain or >> > computer name is not uppercase? >> >> Yes. In my domain I have four machines using all-lowercase machine >> name for no apparent reason. One is a Linux machine, one is a >> Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines. >> All others, including the Windows 8 machines, are all uppercase. > The computer or domain name case inconsistency would seem to be a > source of confusion, mainly because on the Windows side we are > case-retentive but not case-sensitive, and it is not immediately > obvious which case will apply in the case of a computer or domain > name. I can only add to what Corinna said previously: computer names may turn up having any letter casing, although I mostly observed Windows systems having all-uppercase names, if first letter was uppercase ("Station14" -> "STATION14"), where Linux systems would be case-exact. > According to: http://pubs.opengroup.org/onlinepubs/9699919799/ - >> 3.437 User Name - A string that is used to identify a user; >> see also User Database. To be portable across systems >> conforming to POSIX.1-2017, the value is composed of >> characters from the portable filename character set. The >> <hyphen-minus> character should not be used as the first >> character of a portable user name. >> >> 3.282 Portable Filename Character Set >> >> The set of characters from which portable filenames are >> constructed. >> >> A B C D E F G H I J K L M N O P Q R S T U V W X Y Z >> a b c d e f g h i j k l m n o p q r s t u v w x y z >> 0 1 2 3 4 5 6 7 8 9 . _ - >> >> The last three characters are the <period>, <underscore>, >> and <hyphen-minus> characters, respectively. > From this reference, it seems that a POSIX-compliant username cannot > contain the + character? > So my suggestion is for Cygwin to convert the name part before the + > automatically to upper (or lower) case. > Thoughts? -- With best regards, Andrey Repin Thursday, February 14, 2019 1:03:58 Sorry for my terrible english... -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-13 20:55 ` Bill Stewart 2019-02-13 22:50 ` Andrey Repin @ 2019-02-14 13:14 ` Corinna Vinschen 2019-02-14 15:23 ` Bill Stewart 1 sibling, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-14 13:14 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 1899 bytes --] On Feb 13 13:55, Bill Stewart wrote: > On Wed, Feb 13, 2019 at 1:25 PM Corinna Vinschen > <corinna-cygwin@cygwin.com> wrote: > > > (a) Domain or computer name portion to the left of the "+" must always > > > be uppercase > > > > No, the case must match the case of the domain or computername. > > > > > (b) Username after "+" sign (or username alone, without "+" sign) must > > > match case exactly > > > > > > Questions: > > > > > > 1. Are the above two statements (a) and (b) complete/correct? > > > > > > 2. With regards to (a), are there any cases where the domain or > > > computer name is not uppercase? > > > > Yes. In my domain I have four machines using all-lowercase machine > > name for no apparent reason. One is a Linux machine, one is a > > Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines. > > All others, including the Windows 8 machines, are all uppercase. > > The computer or domain name case inconsistency would seem to be a > source of confusion, mainly because on the Windows side we are > case-retentive but not case-sensitive, and it is not immediately > obvious which case will apply in the case of a computer or domain > name. > > According to: http://pubs.opengroup.org/onlinepubs/9699919799/ - > [...] > >From this reference, it seems that a POSIX-compliant username cannot > contain the + character? *should*, not *must*. It may be a portabiliy problem but it's not strictly disallowed. I'm also not sure what this has to do with the matter at hand. > So my suggestion is for Cygwin to convert the name part before the + > automatically to upper (or lower) case. The problem may be compatibility with existing scripts and OpenSSH Match rules. > Thoughts? I'm in the process of discussing with the OpenSSH maintainers how to proceed. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-14 13:14 ` Corinna Vinschen @ 2019-02-14 15:23 ` Bill Stewart 2019-02-14 16:20 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-14 15:23 UTC (permalink / raw) To: cygwin On Thu, Feb 14, 2019 at 6:14 AM Corinna Vinschen wrote: > > From this reference, it seems that a POSIX-compliant username cannot > > contain the + character? > > *should*, not *must*. It may be a portabiliy problem but it's not > strictly disallowed. I'm also not sure what this has to do with the > matter at hand. I was looking for a simple way to resolve the case issue. > > So my suggestion is for Cygwin to convert the name part before the + > > automatically to upper (or lower) case. > > The problem may be compatibility with existing scripts and OpenSSH > Match rules. This makes sense. My suggestion may be a bit too simplistic. > I'm in the process of discussing with the OpenSSH maintainers how to > proceed. Sounds good. Thank you for thinking about this problem. I understand the username case needing to match. This is easily instructed on the Windows side - just make sure the case matches and it will work. I think this is the difficulty: When a computer name is not uppercase, how do we find out the correct case when we specify an authority name (before the +)? (A domain name is easier: We can translate name -> SID -> name and get the correct case.) -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-14 15:23 ` Bill Stewart @ 2019-02-14 16:20 ` Bill Stewart 2019-02-21 20:17 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-14 16:20 UTC (permalink / raw) To: cygwin On Thu, Feb 14, 2019 at 6:43 AM Bill Stewart wrote: > I think this is the difficulty: When a computer name is not uppercase, > how do we find out the correct case when we specify an authority name > (before the +)? Upon reflection, here's what comes to mind from a purely Cygwin perspective: (a) When Cygwin returns a name containing an authority (name to the left of the + character), convert it to uppercase (or lowercase). Advantages: Easier to use. End-user doesn't have burden of determining the correct case for the authority name. Disadvantages: A remote machine might actually use a + character in a username (even though this shouldn't be permissible from a POSIX point of view) and we risk a name collision, opening a small potential security hole because we matched the wrong name. This risk only applies to remote non-Windows servers, since + is an illegal character in a local Windows user account name and domain sAMAccountName attribute. End user still has to match case of username. (b) Do nothing - authority and username case must match exactly. Advantages: No further code changes. Potential security risk is mitigated. Disadvantages: Not intuitive and confusing from a Windows perspective. End-user has burden of determining correct case for both authority name and username. (This can be mitigated somewhat by addressing this in the FAQ, but we all know how often people read the FAQ.) [FWIW, I wrote a short PowerShell script that (probably) does the right thing in returning the correct case, but for the case of a local computer authority it only works against the local computer. (It seems to work fine for the current computer's domain and any trusted domains.)] From an OpenSSH perspective, IMO, it would seem that the most straightforward solution would be, if possible, for sshd to ignore username case for incoming connections when it's running on Windows. Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-14 16:20 ` Bill Stewart @ 2019-02-21 20:17 ` Bill Stewart 2019-02-22 9:39 ` Corinna Vinschen 0 siblings, 1 reply; 20+ messages in thread From: Bill Stewart @ 2019-02-21 20:17 UTC (permalink / raw) To: cygwin On Thu, Feb 14, 2019 at 9:04 AM Bill Stewart wrote: > From an OpenSSH perspective, IMO, it would seem that the most > straightforward solution would be, if possible, for sshd to ignore > username case for incoming connections when it's running on Windows. Any chance for a fix in sshd so it doesn't require exact-match case usernames for incoming connections on an OS that doesn't use case-sensitive user names (such as Windows)? Thanks! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-21 20:17 ` Bill Stewart @ 2019-02-22 9:39 ` Corinna Vinschen 2019-02-22 15:43 ` Bill Stewart 0 siblings, 1 reply; 20+ messages in thread From: Corinna Vinschen @ 2019-02-22 9:39 UTC (permalink / raw) To: cygwin [-- Attachment #1: Type: text/plain, Size: 918 bytes --] On Feb 21 13:08, Bill Stewart wrote: > On Thu, Feb 14, 2019 at 9:04 AM Bill Stewart wrote: > > > From an OpenSSH perspective, IMO, it would seem that the most > > straightforward solution would be, if possible, for sshd to ignore > > username case for incoming connections when it's running on Windows. > > Any chance for a fix in sshd so it doesn't require exact-match case > usernames for incoming connections on an OS that doesn't use > case-sensitive user names (such as Windows)? https://cygwin.com/ml/cygwin/2019-02/msg00335.html The case-insensitivity patch has been accepted now so the upcoming OpenSSH 8.0 will allow case-insensitive user and group names. I'm still waiting for the ssh-host-config script patch to get accepted, but if that doesn't occur in time for 8.0, I'll apply it as local patch for the Cygwin 8.0 release. Corinna -- Corinna Vinschen Cygwin Maintainer [-- Attachment #2: signature.asc --] [-- Type: application/pgp-signature, Size: 833 bytes --] ^ permalink raw reply [flat|nested] 20+ messages in thread
* Re: sshd: computer name's case must match? 2019-02-22 9:39 ` Corinna Vinschen @ 2019-02-22 15:43 ` Bill Stewart 0 siblings, 0 replies; 20+ messages in thread From: Bill Stewart @ 2019-02-22 15:43 UTC (permalink / raw) To: cygwin On Fri, Feb 22, 2019 at 2:36 AM Corinna Vinschen wrote: > The case-insensitivity patch has been accepted now so the upcoming > OpenSSH 8.0 will allow case-insensitive user and group names. This is greatly appreciated - thank you! Bill -- Problem reports: http://cygwin.com/problems.html FAQ: http://cygwin.com/faq/ Documentation: http://cygwin.com/docs.html Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple ^ permalink raw reply [flat|nested] 20+ messages in thread
end of thread, other threads:[~2019-02-22 15:14 UTC | newest] Thread overview: 20+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2019-02-12 23:07 sshd: computer name's case must match? Bill Stewart 2019-02-13 1:35 ` Andrey Repin 2019-02-13 10:32 ` Corinna Vinschen 2019-02-13 12:25 ` Corinna Vinschen 2019-02-13 15:53 ` Bill Stewart 2019-02-13 16:10 ` Corinna Vinschen 2019-02-13 16:24 ` Bill Stewart 2019-02-13 16:26 ` Corinna Vinschen 2019-02-13 17:43 ` Bill Stewart 2019-02-13 17:55 ` Corinna Vinschen 2019-02-13 18:13 ` Bill Stewart 2019-02-13 20:25 ` Corinna Vinschen 2019-02-13 20:55 ` Bill Stewart 2019-02-13 22:50 ` Andrey Repin 2019-02-14 13:14 ` Corinna Vinschen 2019-02-14 15:23 ` Bill Stewart 2019-02-14 16:20 ` Bill Stewart 2019-02-21 20:17 ` Bill Stewart 2019-02-22 9:39 ` Corinna Vinschen 2019-02-22 15:43 ` Bill Stewart
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox; as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).