#46 SendLocalUserName=1 and user name lowercase/uppercase issue

[Marcin Mogielnicki]

When java viewer with SendUsername=1 is used username in password prompt window is prepopulated for user, like John.Doe for example, and it is sent to vnc server side as expected. Xvnc then matches that username against acl list and it is also working as expected - except that username comparison is case sensitive. Technically it is correct behaviour, but practically on Windows side lettercase is meaningless and John.Doe is equal to john.doe. On Linux side lettecase is meaningful, so most systems, including the one I discovered this issue on, convert all usernames coming from active directory to lowercase. So at the end we are having John.Doe coming from Windows that is mapped to uid having username john.doe. At this stage auth.c goes through acl doing strcmp, which is case sensitive, and fails. Section of code that includes strcmp triggering this issue is shown below.

Would it be possible to make usernames coming from WIndows side case insensitive, by changing strcmp to strcasecmp for example?

unix/Xvnc/programs/Xserver/hw/vnc/auth.c

if (rfbAuthUserACL) {
    UserList *p = userACL;

    if (p == NULL)
        rfbLog("WARNING: User ACL is empty.  No users will be allowed to log in with Unix Login authentication.\n");

    while (p != NULL) {
        if (!strcmp(p->name, userBuf))
            break;
        p = p->next;
    }

[DRC]

Hmmm... Well, Linux doesn't typically allow user names with uppercase letters by default, but there are some reasons why one might override that on their particular Linux installation (http://askubuntu.com/questions/46739/case-sensitivity-of-account-usernames). Furthermore, the TurboVNC Server is just acting as a bridge between the RFB protocol and PAM. It has no way of knowing which O/S a particular client is running, and it also has no way of knowing how a particular user/password combo will be authenticated using PAM. Even if the Linux server isn't allowing uppercase usernames, it may be farming off authentication to an LDAP server that does.

I think the best solution is to address this at the client end, by adding a new parameter (UsernameLowerCase) to the Java viewer that automatically converts the user name to lowercase.

[DRC]

Upon further reflection, it seems like this could be done somewhat automatically, by detecting whether the Java viewer is running on a Windows machine and, if SendLocalUsername is specified, converting the local username to lowercase before sending it. I would still want to provide the UsernameLowerCase parameter to allow users to override that behavior, if necessary, but it seems like we could intelligently set the default for that parameter based on the client O/S.

[DRC]

What do you think of my proposed solution? Nothing is going to happen on this until/unless you give me feedback.

[Marcin Mogielnicki]

Hi DRC,

Thank you very much for looking at that issue.

UsernameLowerCase parameter is simpler and would do, it could be specified in either jnlp file or in url together with SendLocalUsername to work my issue around. I'm happy to deal with adding that parameter, no need for hidden logic to tweak username automatically.

[DRC]

Implemented in https://github.com/TurboVNC/turbovnc/commit/73793b5bdf564a1281e011a0fa5539bec7c644be