Hello, I sent this last week before signing up for the list, but haven't seen it in the archives, so I'm guessing it got discarded either as spam or HTML (sorry about that). In any case, the following was sent to comp.security.ssh early last week and I have gotten no response there. Can anyone here shed some light? Thanks, Eric ------------------------------------------ Hello, I'm running an SSH daemon on Cygwin on Windows Server 2003. ?SSH version is 5.1. ?cygrunsrv version is 1.34. I have the following in my sshd_config file. Match User user ? ? ForceCommand start.sh What some users have discovered is that they can log in with arbitrarily mixed case user names. ?For instance, logging in as "usEr" is exactly the same as logging in with "USer" as well as the other fourteen possible combinations for a four-letter username. ?Further, only the all-lowercase version invokes "start.sh." I thought I might be able to solve this with the following. AllowUsers user I thought this would force sshd to only let one case combination through. ?However, all case combinations can still log in and "start.sh" is not getting executed. ?In other words, there is a discrepancy between "Match User" and "AllowUsers" in this regard. Does anyone have any idea how to get around this? ?I don't want to add 2^(length of user name) "Match User" entries to the sshd_config file for every user, which is the only remedy at the moment. Thanks
[+Corinna Vinschen] It looks like Windows is matching users case-insensitively. OpenSSH always performs case-sensitive matching (following Unix). If this is the case, then perhaps we should tolower() all usernames on Windows? -d On Mon, 1 Feb 2010, Hu, Eric wrote:> Hello, > > I sent this last week before signing up for the list, but haven't seen > it in the archives, so I'm guessing it got discarded either as spam > or HTML (sorry about that). In any case, the following was sent to > comp.security.ssh early last week and I have gotten no response there. > Can anyone here shed some light? > > ------------------------------------------ > > Hello, > > I'm running an SSH daemon on Cygwin on Windows Server 2003. SSH > version is 5.1. cygrunsrv version is 1.34. I have the following in my > sshd_config file. > > Match User user > ForceCommand start.sh > > What some users have discovered is that they can log in with > arbitrarily mixed case user names. For instance, logging in as "usEr" > is exactly the same as logging in with "USer" as well as the other > fourteen possible combinations for a four-letter username. Further, > only the all-lowercase version invokes "start.sh." I thought I might > be able to solve this with the following. > > AllowUsers user > > I thought this would force sshd to only let one case combination > through. However, all case combinations can still log in and > "start.sh" is not getting executed. In other words, there is a > discrepancy between "Match User" and "AllowUsers" in this regard. > Does anyone have any idea how to get around this? I don't want to add > 2^(length of user name) "Match User" entries to the sshd_config file > for every user, which is the only remedy at the moment.
Apparently Analagous Threads
- AllowUsers Change
- Problem, possibly bug with AllowUsers & DenyUsers
- ((AllowUsers || AllowGroups) && !(AllowUsers && AllowGroups))
- more flexible AllowUsers/DenyUsers syntax
- PermitRoot without-password doesn't work if AllowUsers user1 user2 set, but root not included; Also some bug in auth.c (Me thinks)