ws: Accept upper-case login names for ssh/polkit agent challenges

[martinpitt]

Identity management domain users are usually case insensitive, in
particular the domain part. E. g. with FreeIPA, "user@domain" and
"user@DOMAIN" mean exactly the same. With AD, even the user name is case
insensitive, and in fact the canonical name starts with an upper case
("Administrator@DOMAIN").

Linux' canonical form (reverse resolution of uids, or $USER) is
lower-case, though. This led to a failed "original vs. challenge
subject" string comparison in authorize_check_user(), resulting in
sessions not getting root privileges.

To fix this, if a direct comparison fails, compare again against the
lower-case form of the credential's user name. This avoids having to
decode the subject's hex string and thus introducing more protocol
assumptions.

Note that native Linux user names are case sensitive, i. e. "user" and
"User" are both legitimate and different. This comparison is just a
plausibility check for not accidentally logging into a remote machine
that has a different user name and spilling the password. It's
acceptable to introduce the corner case for auto-logging into remote
machines if the remote user name only differs in case.

Revert the workaround for this bug from commit XXXXX, and explicitly
test a variation in case.

https://bugzilla.redhat.com/show_bug.cgi?id=1825749

• Builds on top of PR test: Refactor check-realms, add initial AD tests #13921
• Fails on distropkg
• Replace XXXX in commit message and test once the PR above lands

[martinpitt]

Still a distropkg failure, fixed.

[martinpitt]

There are still two flakes about realm join taking more than a minute, we need to bump the timeout there. But that's entirely unrelated to this PR, I'll send a follow-up.