sshd: computer name's case must match?

sshd: computer name's case must match?

[Bill Stewart]

Good day,

I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM -
S4U logon - works great!).

One thing I've noticed is that if I use ssh log onto a remote
domain-joined machine (e.g., connect with COMPUTER+localname), the
'COMPUTER' prefix must be uppercase - if I specify
'computer+LocalName', the user is unknown.

This doesn't seem to be the case if I change the username's case -
'COMPUTER+localname' also works.

Is this by design or by accident?

Thanks,

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Andrey Repin]

Greetings, Bill Stewart!

> I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM -
> S4U logon - works great!).

> One thing I've noticed is that if I use ssh log onto a remote
> domain-joined machine (e.g., connect with COMPUTER+localname), the
> 'COMPUTER' prefix must be uppercase - if I specify
> 'computer+LocalName', the user is unknown.

> This doesn't seem to be the case if I change the username's case -
> 'COMPUTER+localname' also works.

> Is this by design or by accident?

With no authority on the matter I would say that it follows Kerberos domain
names which are written in capital letters.


-- 
With best regards,
Andrey Repin
Wednesday, February 13, 2019 4:19:00

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1727 bytes --]

On Feb 12 16:07, Bill Stewart wrote:
> Good day,
> 
> I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM -
> S4U logon - works great!).
> 
> One thing I've noticed is that if I use ssh log onto a remote
> domain-joined machine (e.g., connect with COMPUTER+localname), the
> 'COMPUTER' prefix must be uppercase - if I specify
> 'computer+LocalName', the user is unknown.
> 
> This doesn't seem to be the case if I change the username's case -
> 'COMPUTER+localname' also works.
> 
> Is this by design or by accident?

sshd checks usernames case-sensitive against their name stored in the
user DB.  The problem that you can use differently cased usernames
here is that the Windows function for checking the name is case-
insensitive, so it takes the username any way it comes in and
sshd eventually checks against the wrongly cased name.

I fixed that partially in Cygwin by making sure that the account name
stored in the internal passwd/group info is stored case-correct:
https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc

So if you have a domain DOMAIN and a user xyz

$ getent passwd DoMaIn+XyZ

Prior to the above patch  it returned

  DOMAIN+XyZ:...

Now it will return

  DOMAIN+xyz:...

The problem is this:  If the account is from another domain than the
local machine or the machine domain, the call to LookupAccountSid to fix
the account name won't fix the account name.

Apparently the account name is cached on the local machine in exactly
the same spelling as has been used when asking for the account the first
time.  I still have to find a way to workaround that.


Thanks,
Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2002 bytes --]

On Feb 13 11:32, Corinna Vinschen wrote:
> On Feb 12 16:07, Bill Stewart wrote:
> > Good day,
> > 
> > I am testing sshd using the cygwin1.dll 3.x version (run as SYSTEM -
> > S4U logon - works great!).
> > 
> > One thing I've noticed is that if I use ssh log onto a remote
> > domain-joined machine (e.g., connect with COMPUTER+localname), the
> > 'COMPUTER' prefix must be uppercase - if I specify
> > 'computer+LocalName', the user is unknown.
> > 
> > This doesn't seem to be the case if I change the username's case -
> > 'COMPUTER+localname' also works.
> > 
> > Is this by design or by accident?
> 
> sshd checks usernames case-sensitive against their name stored in the
> user DB.  The problem that you can use differently cased usernames
> here is that the Windows function for checking the name is case-
> insensitive, so it takes the username any way it comes in and
> sshd eventually checks against the wrongly cased name.
> 
> I fixed that partially in Cygwin by making sure that the account name
> stored in the internal passwd/group info is stored case-correct:
> https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc
> 
> So if you have a domain DOMAIN and a user xyz
> 
> $ getent passwd DoMaIn+XyZ
> 
> Prior to the above patch  it returned
> 
>   DOMAIN+XyZ:...
> 
> Now it will return
> 
>   DOMAIN+xyz:...
> 
> The problem is this:  If the account is from another domain than the
> local machine or the machine domain, the call to LookupAccountSid to fix
> the account name won't fix the account name.
> 
> Apparently the account name is cached on the local machine in exactly
> the same spelling as has been used when asking for the account the first
> time.  I still have to find a way to workaround that.

That should be fixed now as well.  I uploaded new developer snaps to
https://cygwin.com/snapshots/  and will generate YA test release later
today.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Wed, Feb 13, 2019 at 5:25 AM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:

> > sshd checks usernames case-sensitive against their name stored in the
> > user DB.  The problem that you can use differently cased usernames
> > here is that the Windows function for checking the name is case-
> > insensitive, so it takes the username any way it comes in and
> > sshd eventually checks against the wrongly cased name.
> >
> > I fixed that partially in Cygwin by making sure that the account name
> > stored in the internal passwd/group info is stored case-correct:
> > https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc
> >
> > So if you have a domain DOMAIN and a user xyz
> >
> > $ getent passwd DoMaIn+XyZ
> >
> > Prior to the above patch  it returned
> >
> >   DOMAIN+XyZ:...
> >
> > Now it will return
> >
> >   DOMAIN+xyz:...
> >
> > The problem is this:  If the account is from another domain than the
> > local machine or the machine domain, the call to LookupAccountSid to fix
> > the account name won't fix the account name.
> >
> > Apparently the account name is cached on the local machine in exactly
> > the same spelling as has been used when asking for the account the first
> > time.  I still have to find a way to workaround that.
>
> That should be fixed now as well.  I uploaded new developer snaps to
> https://cygwin.com/snapshots/  and will generate YA test release later
> today.

Thanks for taking a look at it.

Now the problem is that the username must be specified with the correct case.

It used to work with COMPUTERNAME+username - where 'username' might
contain an uppercase character, but I could type it in all lower-case.

Now I have to type the username in all correct case, which seems unexpected.

From a Windows perspective, usernames are case-retentive but not
case-sensitive, so this behavior seems unexpected.

Expected behavior: Ignore case in both computer names and user names.

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 2431 bytes --]

On Feb 13 08:53, Bill Stewart wrote:
> On Wed, Feb 13, 2019 at 5:25 AM Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> 
> > > sshd checks usernames case-sensitive against their name stored in the
> > > user DB.  The problem that you can use differently cased usernames
> > > here is that the Windows function for checking the name is case-
> > > insensitive, so it takes the username any way it comes in and
> > > sshd eventually checks against the wrongly cased name.
> > >
> > > I fixed that partially in Cygwin by making sure that the account name
> > > stored in the internal passwd/group info is stored case-correct:
> > > https://cygwin.com/git/?p=newlib-cygwin.git;a=commitdiff;h=9a3cc77b2afc
> > >
> > > So if you have a domain DOMAIN and a user xyz
> > >
> > > $ getent passwd DoMaIn+XyZ
> > >
> > > Prior to the above patch  it returned
> > >
> > >   DOMAIN+XyZ:...
> > >
> > > Now it will return
> > >
> > >   DOMAIN+xyz:...
> > >
> > > The problem is this:  If the account is from another domain than the
> > > local machine or the machine domain, the call to LookupAccountSid to fix
> > > the account name won't fix the account name.
> > >
> > > Apparently the account name is cached on the local machine in exactly
> > > the same spelling as has been used when asking for the account the first
> > > time.  I still have to find a way to workaround that.
> >
> > That should be fixed now as well.  I uploaded new developer snaps to
> > https://cygwin.com/snapshots/  and will generate YA test release later
> > today.
> 
> Thanks for taking a look at it.
> 
> Now the problem is that the username must be specified with the correct case.
> 
> It used to work with COMPUTERNAME+username - where 'username' might
> contain an uppercase character, but I could type it in all lower-case.
> 
> Now I have to type the username in all correct case, which seems unexpected.
> 
> >From a Windows perspective, usernames are case-retentive but not
> case-sensitive, so this behavior seems unexpected.
> 
> Expected behavior: Ignore case in both computer names and user names.

This can't work correctly with OpenSSH.  The decision to allow only
the correct case in OpenSSH was made back in 2010, because otherwise
we would need a lot of special rules in OpenSSH just for Cygwin.
Sorry, but that's how it is.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Wed, Feb 13, 2019 at 9:10 AM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:

> This can't work correctly with OpenSSH.  The decision to allow only
> the correct case in OpenSSH was made back in 2010, because otherwise
> we would need a lot of special rules in OpenSSH just for Cygwin.
> Sorry, but that's how it is.

Thanks for the explanation -- this is understandable.

In that case, the former arrangement before the patch was preferable.

That is: For DOMAIN+username or COMPUTERNAME+username, the part before
the "+" must be UPPERCASE, but the username is not case-sensitive.

IMO This is the simplest and most straightforward arrangement.

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 942 bytes --]

On Feb 13 09:23, Bill Stewart wrote:
> On Wed, Feb 13, 2019 at 9:10 AM Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> 
> > This can't work correctly with OpenSSH.  The decision to allow only
> > the correct case in OpenSSH was made back in 2010, because otherwise
> > we would need a lot of special rules in OpenSSH just for Cygwin.
> > Sorry, but that's how it is.
> 
> Thanks for the explanation -- this is understandable.
> 
> In that case, the former arrangement before the patch was preferable.
> 
> That is: For DOMAIN+username or COMPUTERNAME+username, the part before
> the "+" must be UPPERCASE, but the username is not case-sensitive.
> 
> IMO This is the simplest and most straightforward arrangement.

No, that was a bug.  With case insenitive usernames, the pattern
matching in OpenSSH won't work and you create a potential security
problem.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Wed, Feb 13, 2019 at 9:26 AM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> No, that was a bug.  With case insenitive usernames, the pattern
> matching in OpenSSH won't work and you create a potential security
> problem.

I see - interoperability issue.

Therefore it becomes imperative on the Windows side to match username
case exactly and we need to explain this.

However I would say that the case of the domain or computername
shouldn't matter?

I just tested with cygwin1.dll (13 Feb 2019) and this worked:

ssh COMPUTERNAME+username@computername

however this didn't work:

ssh computername+username@computername

Am I not understanding something?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1210 bytes --]

On Feb 13 10:43, Bill Stewart wrote:
> On Wed, Feb 13, 2019 at 9:26 AM Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> > No, that was a bug.  With case insenitive usernames, the pattern
> > matching in OpenSSH won't work and you create a potential security
> > problem.
> 
> I see - interoperability issue.
> 
> Therefore it becomes imperative on the Windows side to match username
> case exactly and we need to explain this.
> 
> However I would say that the case of the domain or computername
> shouldn't matter?
> 
> I just tested with cygwin1.dll (13 Feb 2019) and this worked:
> 
> ssh COMPUTERNAME+username@computername
> 
> however this didn't work:
> 
> ssh computername+username@computername
> 
> Am I not understanding something?

The complete string "domain+samaccountname" is the Cygwin username,
see the output of `getent passwd <user>' The entire Cygwin username
should always use the same case, otherwise case sensitive pattern
matching on the name returned in the passwd name field won't work.

Play with `getent passwd' with the latest and the previous Cygwin
DLL.  That should give you an idea.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Wed, Feb 13, 2019 at 10:56 AM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> The complete string "domain+samaccountname" is the Cygwin username,
> see the output of `getent passwd <user>' The entire Cygwin username
> should always use the same case, otherwise case sensitive pattern
> matching on the name returned in the passwd name field won't work.

Thank you. Just so I understand the specifics of when I want to
specify the 'destination' parameter using ssh:

(a) Domain or computer name portion to the left of the "+" must always
be uppercase

(b) Username after "+" sign (or username alone, without "+" sign) must
match case exactly

Questions:

1. Are the above two statements (a) and (b) complete/correct?

2. With regards to (a), are there any cases where the domain or
computer name is not uppercase?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1322 bytes --]

On Feb 13 11:13, Bill Stewart wrote:
> On Wed, Feb 13, 2019 at 10:56 AM Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> > The complete string "domain+samaccountname" is the Cygwin username,
> > see the output of `getent passwd <user>' The entire Cygwin username
> > should always use the same case, otherwise case sensitive pattern
> > matching on the name returned in the passwd name field won't work.
> 
> Thank you. Just so I understand the specifics of when I want to
> specify the 'destination' parameter using ssh:
> 
> (a) Domain or computer name portion to the left of the "+" must always
> be uppercase

No, the case must match the case of the domain or computername.

> (b) Username after "+" sign (or username alone, without "+" sign) must
> match case exactly
> 
> Questions:
> 
> 1. Are the above two statements (a) and (b) complete/correct?
> 
> 2. With regards to (a), are there any cases where the domain or
> computer name is not uppercase?

Yes.  In my domain I have four machines using all-lowercase machine
name for no apparent reason.  One is a Linux machine, one is a
Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines.
All others, including the Windows 8 machines, are all uppercase.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Wed, Feb 13, 2019 at 1:25 PM Corinna Vinschen
<corinna-cygwin@cygwin.com> wrote:
> > (a) Domain or computer name portion to the left of the "+" must always
> > be uppercase
>
> No, the case must match the case of the domain or computername.
>
> > (b) Username after "+" sign (or username alone, without "+" sign) must
> > match case exactly
> >
> > Questions:
> >
> > 1. Are the above two statements (a) and (b) complete/correct?
> >
> > 2. With regards to (a), are there any cases where the domain or
> > computer name is not uppercase?
>
> Yes.  In my domain I have four machines using all-lowercase machine
> name for no apparent reason.  One is a Linux machine, one is a
> Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines.
> All others, including the Windows 8 machines, are all uppercase.

The computer or domain name case inconsistency would seem to be a
source of confusion, mainly because on the Windows side we are
case-retentive but not case-sensitive, and it is not immediately
obvious which case will apply in the case of a computer or domain
name.

According to: http://pubs.opengroup.org/onlinepubs/9699919799/ -

> 3.437 User Name - A string that is used to identify a user;
> see also User Database. To be portable across systems
> conforming to POSIX.1-2017, the value is composed of
> characters from the portable filename character set. The
> <hyphen-minus> character should not be used as the first
> character of a portable user name.
>
> 3.282 Portable Filename Character Set
>
> The set of characters from which portable filenames are
> constructed.
>
> A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
> a b c d e f g h i j k l m n o p q r s t u v w x y z
> 0 1 2 3 4 5 6 7 8 9 . _ -
>
> The last three characters are the <period>, <underscore>,
> and <hyphen-minus> characters, respectively.

From this reference, it seems that a POSIX-compliant username cannot
contain the + character?

So my suggestion is for Cygwin to convert the name part before the +
automatically to upper (or lower) case.

Thoughts?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Andrey Repin]

Greetings, Bill Stewart!

Preface: Please teach your mail agent to not quote raw email addresses.

>> > (a) Domain or computer name portion to the left of the "+" must always
>> > be uppercase
>>
>> No, the case must match the case of the domain or computername.
>>
>> > (b) Username after "+" sign (or username alone, without "+" sign) must
>> > match case exactly
>> >
>> > Questions:
>> >
>> > 1. Are the above two statements (a) and (b) complete/correct?
>> >
>> > 2. With regards to (a), are there any cases where the domain or
>> > computer name is not uppercase?
>>
>> Yes.  In my domain I have four machines using all-lowercase machine
>> name for no apparent reason.  One is a Linux machine, one is a
>> Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines.
>> All others, including the Windows 8 machines, are all uppercase.

> The computer or domain name case inconsistency would seem to be a
> source of confusion, mainly because on the Windows side we are
> case-retentive but not case-sensitive, and it is not immediately
> obvious which case will apply in the case of a computer or domain
> name.

I can only add to what Corinna said previously: computer names may turn up
having any letter casing, although I mostly observed Windows systems having
all-uppercase names, if first letter was uppercase ("Station14" ->
"STATION14"), where Linux systems would be case-exact.

> According to: http://pubs.opengroup.org/onlinepubs/9699919799/ -

>> 3.437 User Name - A string that is used to identify a user;
>> see also User Database. To be portable across systems
>> conforming to POSIX.1-2017, the value is composed of
>> characters from the portable filename character set. The
>> <hyphen-minus> character should not be used as the first
>> character of a portable user name.
>>
>> 3.282 Portable Filename Character Set
>>
>> The set of characters from which portable filenames are
>> constructed.
>>
>> A B C D E F G H I J K L M N O P Q R S T U V W X Y Z
>> a b c d e f g h i j k l m n o p q r s t u v w x y z
>> 0 1 2 3 4 5 6 7 8 9 . _ -
>>
>> The last three characters are the <period>, <underscore>,
>> and <hyphen-minus> characters, respectively.

> From this reference, it seems that a POSIX-compliant username cannot
> contain the + character?

> So my suggestion is for Cygwin to convert the name part before the +
> automatically to upper (or lower) case.

> Thoughts?


-- 
With best regards,
Andrey Repin
Thursday, February 14, 2019 1:03:58

Sorry for my terrible english...


--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 1899 bytes --]

On Feb 13 13:55, Bill Stewart wrote:
> On Wed, Feb 13, 2019 at 1:25 PM Corinna Vinschen
> <corinna-cygwin@cygwin.com> wrote:
> > > (a) Domain or computer name portion to the left of the "+" must always
> > > be uppercase
> >
> > No, the case must match the case of the domain or computername.
> >
> > > (b) Username after "+" sign (or username alone, without "+" sign) must
> > > match case exactly
> > >
> > > Questions:
> > >
> > > 1. Are the above two statements (a) and (b) complete/correct?
> > >
> > > 2. With regards to (a), are there any cases where the domain or
> > > computer name is not uppercase?
> >
> > Yes.  In my domain I have four machines using all-lowercase machine
> > name for no apparent reason.  One is a Linux machine, one is a
> > Windows 7 64 bit, the other two are Windows 8.1 32 and 64 bit machines.
> > All others, including the Windows 8 machines, are all uppercase.
> 
> The computer or domain name case inconsistency would seem to be a
> source of confusion, mainly because on the Windows side we are
> case-retentive but not case-sensitive, and it is not immediately
> obvious which case will apply in the case of a computer or domain
> name.
> 
> According to: http://pubs.opengroup.org/onlinepubs/9699919799/ -
> [...]
> >From this reference, it seems that a POSIX-compliant username cannot
> contain the + character?

*should*, not *must*.  It may be a portabiliy problem but it's not
strictly disallowed.  I'm also not sure what this has to do with the
matter at hand.

> So my suggestion is for Cygwin to convert the name part before the +
> automatically to upper (or lower) case.

The problem may be compatibility with existing scripts and OpenSSH
Match rules.

> Thoughts?

I'm in the process of discussing with the OpenSSH maintainers how to
proceed.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Thu, Feb 14, 2019 at 6:14 AM Corinna Vinschen wrote:
> > From this reference, it seems that a POSIX-compliant username cannot
> > contain the + character?
>
> *should*, not *must*.  It may be a portabiliy problem but it's not
> strictly disallowed.  I'm also not sure what this has to do with the
> matter at hand.

I was looking for a simple way to resolve the case issue.

> > So my suggestion is for Cygwin to convert the name part before the +
> > automatically to upper (or lower) case.
>
> The problem may be compatibility with existing scripts and OpenSSH
> Match rules.

This makes sense. My suggestion may be a bit too simplistic.

> I'm in the process of discussing with the OpenSSH maintainers how to
> proceed.

Sounds good. Thank you for thinking about this problem.

I understand the username case needing to match. This is easily
instructed on the Windows side - just make sure the case matches and
it will work.

I think this is the difficulty: When a computer name is not uppercase,
how do we find out the correct case when we specify an authority name
(before the +)?

(A domain name is easier: We can translate name -> SID -> name and get
the correct case.)

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Bill Stewart]

On Thu, Feb 14, 2019 at 6:43 AM Bill Stewart wrote:

> I think this is the difficulty: When a computer name is not uppercase,
> how do we find out the correct case when we specify an authority name
> (before the +)?

Upon reflection, here's what comes to mind from a purely Cygwin perspective:

(a) When Cygwin returns a name containing an authority (name to the
left of the + character), convert it to uppercase (or lowercase).

Advantages: Easier to use. End-user doesn't have burden of determining
the correct case for the authority name.

Disadvantages: A remote machine might actually use a + character in a
username (even though this shouldn't be permissible from a POSIX point
of view) and we risk a name collision, opening a small potential
security hole because we matched the wrong name. This risk only
applies to remote non-Windows servers, since + is an illegal character
in a local Windows user account name and domain sAMAccountName
attribute. End user still has to match case of username.

(b) Do nothing - authority and username case must match exactly.

Advantages: No further code changes. Potential security risk is mitigated.

Disadvantages: Not intuitive and confusing from a Windows perspective.
End-user has burden of determining correct case for both authority
name and username. (This can be mitigated somewhat by addressing this
in the FAQ, but we all know how often people read the FAQ.)

[FWIW, I wrote a short PowerShell script that (probably) does the
right thing in returning the correct case, but for the case of a local
computer authority it only works against the local computer. (It seems
to work fine for the current computer's domain and any trusted
domains.)]

From an OpenSSH perspective, IMO, it would seem that the most
straightforward solution would be, if possible, for sshd to ignore
username case for incoming connections when it's running on Windows.

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Bill Stewart]

On Thu, Feb 14, 2019 at 9:04 AM Bill Stewart wrote:

> From an OpenSSH perspective, IMO, it would seem that the most
> straightforward solution would be, if possible, for sshd to ignore
> username case for incoming connections when it's running on Windows.

Any chance for a fix in sshd so it doesn't require exact-match case
usernames for incoming connections on an OS that doesn't use
case-sensitive user names (such as Windows)?

Thanks!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple

Re: sshd: computer name's case must match?

[Corinna Vinschen]

[-- Attachment #1: Type: text/plain, Size: 918 bytes --]

On Feb 21 13:08, Bill Stewart wrote:
> On Thu, Feb 14, 2019 at 9:04 AM Bill Stewart wrote:
> 
> > From an OpenSSH perspective, IMO, it would seem that the most
> > straightforward solution would be, if possible, for sshd to ignore
> > username case for incoming connections when it's running on Windows.
> 
> Any chance for a fix in sshd so it doesn't require exact-match case
> usernames for incoming connections on an OS that doesn't use
> case-sensitive user names (such as Windows)?

https://cygwin.com/ml/cygwin/2019-02/msg00335.html

The case-insensitivity patch has been accepted now so the upcoming
OpenSSH 8.0 will allow case-insensitive user and group names.

I'm still waiting for the ssh-host-config script patch to get
accepted, but if that doesn't occur in time for 8.0, I'll apply
it as local patch for the Cygwin 8.0 release.


Corinna

-- 
Corinna Vinschen
Cygwin Maintainer

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 833 bytes --]

Re: sshd: computer name's case must match?

[Bill Stewart]

On Fri, Feb 22, 2019 at 2:36 AM Corinna Vinschen wrote:

> The case-insensitivity patch has been accepted now so the upcoming
> OpenSSH 8.0 will allow case-insensitive user and group names.

This is greatly appreciated - thank you!

Bill

--
Problem reports:       http://cygwin.com/problems.html
FAQ:                   http://cygwin.com/faq/
Documentation:         http://cygwin.com/docs.html
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple