bugzilla-daemon at bugzilla.mindrot.org
2017-Aug-24 18:33 UTC
[Bug 2764] New: Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Bug ID: 2764 Summary: Some Windows username get case-sensitive in sshd Product: Portable OpenSSH Version: 7.2p2 Hardware: ARM64 OS: Cygwin on NT/2k Status: NEW Severity: security Priority: P5 Component: sshd Assignee: unassigned-bugs at mindrot.org Reporter: arvindo.kinny at cerner.com Some windows 2012 users usernames get case-sensitive on Cygwin sshd Version Cygwin 2.5.1 and OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016 Some users work with any case username Example: Windows Active Directory Username: MyUser SSH username not working: myUser Here are the debug log statements sshd debug log debug1: KEX done debug3: receive packet: type 5 debug3: send packet: type 6 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method none debug1: attempt 0 failures 0 debug2: parse_server_config: config reprocess config len 367 Login name myUser does not match stored username MyUser Invalid user myUser from 10.175.2.139 input_userauth_request: invalid user myUser debug2: input_userauth_request: try method none Failed none for invalid user myUser from 10.175.2.139 port 64504 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug3: send packet: type 51 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method keyboard-interactive debug1: attempt 1 failures 0 debug2: input_userauth_request: try method keyboard-interactive debug1: keyboard-interactive devs debug1: auth2_challenge: user=myUser devsdebug1: kbdint_alloc: devices '' debug2: auth2_challenge_start: devices Failed keyboard-interactive for invalid user myUser from 10.175.2.139 port 64504 ssh2 debug3: userauth_finish: failure partial=0 next methods="publickey,password,keyboard-interactive" debug3: send packet: type 51 debug3: receive packet: type 50 debug1: userauth-request for user myUser service ssh-connection method password debug1: attempt 2 failures 1 debug2: input_userauth_request: try method password -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-07 14:34 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Arvindo <arvindo.kinny at cerner.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P5 |P1 -- You are receiving this mail because: You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-07 23:05 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P1 |P3 CC| |djm at mindrot.org Hardware|ARM64 |All Severity|security |normal --- Comment #1 from Damien Miller <djm at mindrot.org> --- What do you mean by "some usernames"? Being written for Unix first and foremost- OpenSSH treats all usernames with case-sensitivity internally, though the underlying operating system might have different rules. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-11 03:44 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 --- Comment #2 from Arvindo <arvindo.kinny at cerner.com> --- (In reply to Damien Miller from comment #1)> What do you mean by "some usernames"? Being written for Unix first > and foremost- OpenSSH treats all usernames with case-sensitivity > internally, though the underlying operating system might have > different rules.Damien Thanks for your response. You are absolutely right, I agree with your response, but we have this installed on windows server. Windows user names are case-insensitive, and we are able login with different username cases most of the time, but some usernames become case sensitive, and openSSH explicitly requires specific username case. This inconsistent behavior is causing us lot of problems. Is there a setting in sshd-config or somewhere where we can specify all usernames to be case-insensitive explicitly? -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-25 07:07 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Jedd <jedd.cuison at cerner.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |jedd.cuison at cerner.com --- Comment #3 from Jedd <jedd.cuison at cerner.com> --- Hi Damien, Thanks for replying. I can't agree with you more. The situation that Arvindo is describing happens in Cygwin installed in Windows. Here's a simple explanation on what we've experienced... Initially, getpwnam will return the username in the case that it was supplied in e.g. "jediknight" will return "jediknight" or "Jedikight" will return "Jediknight" then several days or weeks after...getpwnam will start returning the username in a specific case e.g. "JEDIknight" which does not match active directory's (AD). If it matches active directory's then all is well since we will just consistently follow the case that was specified there. Weirder still it can change to "JediKnight", my guess is it has something to do with the Windows login but I don't exactly know how it happens. The thing is we don't generate "/etc/passwd" since we rely in Cygwin authenticating the user in AD. Although it is one workaround, the problem that we have with that is that if a new user was created by the client they might experience the issue again unless a new passwd is generated. The thing is we wanted to make it simple for them e.g. not generate passwd when they create a user. Anyways our idea is to have openssh have a flag to enable/disable username case sensitivity. By default it is case sensitive and it is applied under Cygwin ifdef. I created a pull request for you to review. Thanks a lot! Regards, Jedd -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Sep-25 07:10 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 --- Comment #4 from Jedd <jedd.cuison at cerner.com> --- Btw here's the pull request of our proposed feature https://github.com/openssh/openssh-portable/pull/78 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Oct-23 18:04 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Arvindo <arvindo.kinny at cerner.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Severity|normal |major --- Comment #5 from Arvindo <arvindo.kinny at cerner.com> --- This causing us production issues, as users are unable to login with different username case. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2017-Dec-20 16:16 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Arvindo <arvindo.kinny at cerner.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Priority|P3 |P1 -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Feb-10 05:54 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |vinschen at redhat.com --- Comment #6 from Damien Miller <djm at mindrot.org> --- I don't think we'll add a configuration option for this, as it would need to touch quite a few more places or risk causing configuration-parsing ambiguity that could have security consequences (e.g. "Match user"). Cc'ing Corinna, who is one of the Cygwin developers and who will know much more about what is going on behind getpwnam(). -- You are receiving this mail because: You are watching someone on the CC list of the bug. You are watching the assignee of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2018-Feb-10 11:00 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 --- Comment #7 from Corinna Vinschen <vinschen at redhat.com> --- Testing the username case-insensitive was discussed long ago and we decided not to do that. Check commit https://github.com/openssh/openssh-portable/commit/acc9b29486dfd649dfda474e5c1a03b317449f1c I don't know what's going on on your machine, but Cygwin does NOT change usernames willy-nilly. The username stored in Cygwin is the one either returned by Windows via the WIn32 function LookupAccountSidW, or it is the name as stored in /etc/passwd, should this file exist and /etc/nsswitch.conf allows access (which is the default). Corinna -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 05:39 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |WONTFIX Status|NEW |RESOLVED -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at bugzilla.mindrot.org
2019-Jul-19 12:04 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|WONTFIX |FIXED --- Comment #8 from Damien Miller <djm at mindrot.org> --- Corinna points out that this was indeed fixed: In fact we *did* fix it in OpenSSH 8.0 so that usernames as well as groupnames are now matched case-insensitive on Cygwin, here's the list of commits: f02afa350afa Revert "[auth.c] On Cygwin, refuse usernames that have differences in case" bed1d4369880 Revert unintended parts of previous commit. 37638c752041 Cygwin: implement case-insensitive Unicode user and group name matching daa7505aadca Use Cygwin-specific matching only for users+groups. a212107bfdf4 Replace alloca with xcalloc. -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.
bugzilla-daemon at mindrot.org
2021-Apr-23 05:11 UTC
[Bug 2764] Some Windows username get case-sensitive in sshd
https://bugzilla.mindrot.org/show_bug.cgi?id=2764 Damien Miller <djm at mindrot.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|RESOLVED |CLOSED --- Comment #9 from Damien Miller <djm at mindrot.org> --- closing resolved bugs as of 8.6p1 release -- You are receiving this mail because: You are watching the assignee of the bug. You are watching someone on the CC list of the bug.