ws: Accept upper-case login names for ssh/polkit agent challenges #13934
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Identity management domain users are usually case insensitive, in
particular the domain part. E. g. with FreeIPA, "user@domain" and
"user@DOMAIN" mean exactly the same. With AD, even the user name is case
insensitive, and in fact the canonical name starts with an upper case
("Administrator@DOMAIN").
Linux' canonical form (reverse resolution of uids, or
$USER
) islower-case, though. This led to a failed "original vs. challenge
subject" string comparison in authorize_check_user(), resulting in
sessions not getting root privileges.
To fix this, if a direct comparison fails, compare again against the
lower-case form of the credential's user name. This avoids having to
decode the subject's hex string and thus introducing more protocol
assumptions.
Note that native Linux user names are case sensitive, i. e. "user" and
"User" are both legitimate and different. This comparison is just a
plausibility check for not accidentally logging into a remote machine
that has a different user name and spilling the password. It's
acceptable to introduce the corner case for auto-logging into remote
machines if the remote user name only differs in case.
Revert the workaround for this bug from commit XXXXX, and explicitly
test a variation in case.
https://bugzilla.redhat.com/show_bug.cgi?id=1825749