openssh bugs - Aug 2017 - [Bug 2764] New: Some Windows username get case-sensitive in sshd

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

            Bug ID: 2764
           Summary: Some Windows username get case-sensitive in sshd
           Product: Portable OpenSSH
           Version: 7.2p2
          Hardware: ARM64
                OS: Cygwin on NT/2k
            Status: NEW
          Severity: security
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: arvindo.kinny at cerner.com

Some windows 2012 users usernames get case-sensitive on Cygwin sshd

Version
Cygwin 2.5.1 and OpenSSH_7.2p2, OpenSSL 1.0.2h 3 May 2016
Some users work with any case username


Example:
Windows Active Directory Username: MyUser
SSH username not working: myUser

Here are the debug log statements

sshd debug log

debug1: KEX done
debug3: receive packet: type 5
debug3: send packet: type 6
debug3: receive packet: type 50
debug1: userauth-request for user myUser service ssh-connection method
none
debug1: attempt 0 failures 0
debug2: parse_server_config: config reprocess config len 367
Login name myUser does not match stored username MyUser
Invalid user myUser from 10.175.2.139
input_userauth_request: invalid user myUser
debug2: input_userauth_request: try method none
Failed none for invalid user myUser from 10.175.2.139 port 64504 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user myUser service ssh-connection method
keyboard-interactive
debug1: attempt 1 failures 0
debug2: input_userauth_request: try method keyboard-interactive
debug1: keyboard-interactive devs 
debug1: auth2_challenge: user=myUser devsdebug1: kbdint_alloc: devices
''
debug2: auth2_challenge_start: devices 
Failed keyboard-interactive for invalid user myUser from 10.175.2.139
port 64504 ssh2
debug3: userauth_finish: failure partial=0 next
methods="publickey,password,keyboard-interactive"
debug3: send packet: type 51
debug3: receive packet: type 50
debug1: userauth-request for user myUser service ssh-connection method
password
debug1: attempt 2 failures 1
debug2: input_userauth_request: try method password

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Arvindo <arvindo.kinny at cerner.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P5                          |P1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P1                          |P3
                 CC|                            |djm at mindrot.org
           Hardware|ARM64                       |All
           Severity|security                    |normal

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
What do you mean by "some usernames"? Being written for Unix first and
foremost- OpenSSH treats all usernames with case-sensitivity
internally, though the underlying operating system might have different
rules.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

--- Comment #2 from Arvindo <arvindo.kinny at cerner.com> ---
(In reply to Damien Miller from comment #1)
> What do you mean by "some usernames"? Being written for Unix
first
> and foremost- OpenSSH treats all usernames with case-sensitivity
> internally, though the underlying operating system might have
> different rules.
Damien
Thanks for your response. You are absolutely right, I agree with your
response, but we have this installed on windows server. Windows user
names are case-insensitive, and we are able login with different
username cases most of the time, but some usernames become case
sensitive, and openSSH explicitly requires specific username case. This
inconsistent behavior is causing us lot of problems. Is there a setting
in sshd-config or somewhere where we can specify all usernames to be
case-insensitive explicitly?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Jedd <jedd.cuison at cerner.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |jedd.cuison at cerner.com

--- Comment #3 from Jedd <jedd.cuison at cerner.com> ---
Hi Damien,

Thanks for replying. I can't agree with you more. The situation that
Arvindo is describing happens in Cygwin installed in Windows. Here's a
simple explanation on what we've experienced...

Initially, getpwnam will return the username in the case that it was
supplied in e.g. "jediknight" will return "jediknight" or
"Jedikight"
will return "Jediknight" then several days or weeks after...getpwnam
will start returning the username in a specific case e.g. "JEDIknight"
which does not match active directory's (AD). If it matches active
directory's then all is well since we will just consistently follow the
case that was specified there. Weirder still it can change to
"JediKnight", my guess is it has something to do with the Windows
login
but I don't exactly know how it happens. 

The thing is we don't generate "/etc/passwd" since we rely in
Cygwin
authenticating the user in AD. Although it is one workaround, the
problem that we have with that is that if a new user was created by the
client they might experience the issue again unless a new passwd is
generated. The thing is we wanted to make it simple for them e.g. not
generate passwd when they create a user.  

Anyways our idea is to have openssh have a flag to enable/disable
username case sensitivity. By default it is case sensitive and it is
applied under Cygwin ifdef. 

I created a pull request for you to review.

Thanks a lot!


Regards,

Jedd

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

--- Comment #4 from Jedd <jedd.cuison at cerner.com> ---
Btw here's the pull request of our proposed feature

https://github.com/openssh/openssh-portable/pull/78

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Arvindo <arvindo.kinny at cerner.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Severity|normal                      |major

--- Comment #5 from Arvindo <arvindo.kinny at cerner.com> ---
This causing us production issues, as users are unable to login with
different username case.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Arvindo <arvindo.kinny at cerner.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Priority|P3                          |P1

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |vinschen at redhat.com

--- Comment #6 from Damien Miller <djm at mindrot.org> ---
I don't think we'll add a configuration option for this, as it would
need to touch quite a few more places or risk causing
configuration-parsing ambiguity that could have security consequences
(e.g. "Match user").

Cc'ing Corinna, who is one of the Cygwin developers and who will know
much more about what is going on behind getpwnam().

-- 
You are receiving this mail because:
You are watching someone on the CC list of the bug.
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

--- Comment #7 from Corinna Vinschen <vinschen at redhat.com> ---
Testing the username case-insensitive was discussed long ago
and we decided not to do that.  Check commit

https://github.com/openssh/openssh-portable/commit/acc9b29486dfd649dfda474e5c1a03b317449f1c

I don't know what's going on on your machine, but Cygwin does NOT
change usernames willy-nilly.  The username stored in Cygwin is
the one either returned by Windows via the WIn32 function
LookupAccountSidW, or it is the name as stored in /etc/passwd,
should this file exist and /etc/nsswitch.conf allows access
(which is the default).


Corinna

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |WONTFIX
             Status|NEW                         |RESOLVED

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|WONTFIX                     |FIXED

--- Comment #8 from Damien Miller <djm at mindrot.org> ---
Corinna points out that this was indeed fixed:

In fact we *did* fix it in OpenSSH 8.0 so that usernames as well as
groupnames are now matched case-insensitive on Cygwin, here's the list
of commits:

  f02afa350afa Revert "[auth.c] On Cygwin, refuse usernames that have
differences in case"
  bed1d4369880 Revert unintended parts of previous commit.
  37638c752041 Cygwin: implement case-insensitive Unicode user and
group name
matching
  daa7505aadca Use Cygwin-specific matching only for users+groups.
  a212107bfdf4 Replace alloca with xcalloc.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=2764

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|RESOLVED                    |CLOSED

--- Comment #9 from Damien Miller <djm at mindrot.org> ---
closing resolved bugs as of 8.6p1 release

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.