From: Bill Stewart <bstewart@iname.com>
To: cygwin@cygwin.com
Subject: Re: sshd: computer name's case must match?
Date: Thu, 14 Feb 2019 16:20:00 -0000 [thread overview]
Message-ID: <CANV9t=Qktg01XdE5Z7tEhwHUVL-JzKhFaKPadYvujZwzAfGvsw@mail.gmail.com> (raw)
In-Reply-To: <CANV9t=QE9n6kej+1CYYV7OMktLpv05ZhYpSdPe=LzpbnwiH9Hw@mail.gmail.com>
On Thu, Feb 14, 2019 at 6:43 AM Bill Stewart wrote:
> I think this is the difficulty: When a computer name is not uppercase,
> how do we find out the correct case when we specify an authority name
> (before the +)?
Upon reflection, here's what comes to mind from a purely Cygwin perspective:
(a) When Cygwin returns a name containing an authority (name to the
left of the + character), convert it to uppercase (or lowercase).
Advantages: Easier to use. End-user doesn't have burden of determining
the correct case for the authority name.
Disadvantages: A remote machine might actually use a + character in a
username (even though this shouldn't be permissible from a POSIX point
of view) and we risk a name collision, opening a small potential
security hole because we matched the wrong name. This risk only
applies to remote non-Windows servers, since + is an illegal character
in a local Windows user account name and domain sAMAccountName
attribute. End user still has to match case of username.
(b) Do nothing - authority and username case must match exactly.
Advantages: No further code changes. Potential security risk is mitigated.
Disadvantages: Not intuitive and confusing from a Windows perspective.
End-user has burden of determining correct case for both authority
name and username. (This can be mitigated somewhat by addressing this
in the FAQ, but we all know how often people read the FAQ.)
[FWIW, I wrote a short PowerShell script that (probably) does the
right thing in returning the correct case, but for the case of a local
computer authority it only works against the local computer. (It seems
to work fine for the current computer's domain and any trusted
domains.)]
From an OpenSSH perspective, IMO, it would seem that the most
straightforward solution would be, if possible, for sshd to ignore
username case for incoming connections when it's running on Windows.
Thanks!
Bill
--
Problem reports: http://cygwin.com/problems.html
FAQ: http://cygwin.com/faq/
Documentation: http://cygwin.com/docs.html
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
next prev parent reply other threads:[~2019-02-14 16:05 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-02-12 23:07 Bill Stewart
2019-02-13 1:35 ` Andrey Repin
2019-02-13 10:32 ` Corinna Vinschen
2019-02-13 12:25 ` Corinna Vinschen
2019-02-13 15:53 ` Bill Stewart
2019-02-13 16:10 ` Corinna Vinschen
2019-02-13 16:24 ` Bill Stewart
2019-02-13 16:26 ` Corinna Vinschen
2019-02-13 17:43 ` Bill Stewart
2019-02-13 17:55 ` Corinna Vinschen
2019-02-13 18:13 ` Bill Stewart
2019-02-13 20:25 ` Corinna Vinschen
2019-02-13 20:55 ` Bill Stewart
2019-02-13 22:50 ` Andrey Repin
2019-02-14 13:14 ` Corinna Vinschen
2019-02-14 15:23 ` Bill Stewart
2019-02-14 16:20 ` Bill Stewart [this message]
2019-02-21 20:17 ` Bill Stewart
2019-02-22 9:39 ` Corinna Vinschen
2019-02-22 15:43 ` Bill Stewart
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CANV9t=Qktg01XdE5Z7tEhwHUVL-JzKhFaKPadYvujZwzAfGvsw@mail.gmail.com' \
--to=bstewart@iname.com \
--cc=cygwin@cygwin.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).