case sensitivity, "match user" and "allowusers"

Do you have a question? Post it now! No Registration Necessary.  Now with pictures!


I'm running an SSH daemon on Cygwin on Windows Server 2003.  SSH
version is 5.1.  cygrunsrv version is 1.34.

I have the following in my sshd_config file.

Match User user

What some users have discovered is that they can log in with
arbitrarily mixed case user names.  For instance, logging in as "usEr"
is exactly the same as logging in with "USer" as well as the other
fourteen possible combinations for a four-letter username.  Further,
only the all-lowercase version invokes ""

I thought I might be able to solve this with the following.

AllowUsers user

I thought this would force sshd to only let one case combination
through.  However, all case combinations can still log in and
"" is not getting executed.  In other words, there is a
discrepancy between how "Match User" and "AllowUsers" in this regard.
Does anyone have any idea how to get around this?  I don't want to add
2^(length of user name) "Match User" entries to the sshd_config file
for every user, which is the only remedy at the moment.


Site Timeline