[cvsnt] Re: cygwin ssh server and author being set to SYSTEM

[Pavel Goran]

Darren Healey wrote:
> Can somebody help me out by getting me up to date with the problem
> presented at the following thread?
> 
> http://www.cvsnt.org/pipermail/cvsnt/2001-December/000229.html
> 
> I am currently using SSH with password authentication rather than public
> keys because of this problem, but I would prefer to use keys.
> 
> Some questions I have about this:
> 
> 1.Has this been fixed?

Tony Hoyle wrote:
>> 1.Has this been fixed?
> AFAIK it's not possible to fix it.

There are actually two problems here: 1) a problem with CygWin/OpenSSH
(after  public  key  authentication  GetUserName()  returns  incorrect
value)  and  2)  a problem with CVSNT run by OpenSSH (after public key
authentication incorrect username is used for logs and other things).

Whereas  the  first  problem  probably can't be (easily) resolved, the
second one can be worked around, as described below.

Currently,  CVSNT  uses  its function getcaller() to get an user name.
(In  several  places getlogin() is also used.) In the case of Windows,
if  the CVS_Username variable is NULL (that is, pserver or the like is
not  active),  the  function  first  tries  to  get  the username from
getlogin()  (which  maps  to  GetUserName()); if it fails, environment
variables 'LOGNAME' and 'USER' are used to determine the user name. In
our  case,  getlogin()  returns 'SYSTEM' (or whatever user the OpenSSH
service is running under), and getcaller() accepts it.

The  proposed  work-around is to check if getlogin() returns 'SYSTEM',
and  if  this  is  the case, to reject this value and get the username
from  environment  variables (OpenSSH correctly set both 'LOGNAME' and
'USER').  For  this  to  work,  all  other  getlogin() calls should be
replaced with getcaller() calls.

There  are several potential issues with this solution. First, OpenSSH
may  be  run under an user different from 'SYSTEM'. In order to handle
this,  the  user  name that getcaller() should reject needs to be made
configurable. Second, a user that logged in with SSH can make CVSNT to
use  arbitrary  value  as  its  username  -  particularly,  he/she can
attribute  his/her  changes  to an arbitrary user. However, if an user
can  access  shell,  he/she  can  do  that  anyway by directly editing
repository  files.  And  if  an  administrator doesn't trust its users
and/or  wants  to prevent them from messing with usernames/identities,
he/she  can use restricted shell and instruct OpenSSH to ignore users'
attempts to set environment variables (PermitUserEnvironment=no).

I implemented the described behaviour and can make the patch.

Pavel Goran