[Bug 3853] Potential Match User block evasion for kerberos realm users
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Fri Aug 1 10:20:20 AEST 2025
https://bugzilla.mindrot.org/show_bug.cgi?id=3853
Damien Miller <djm at mindrot.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |djm at mindrot.org
--- Comment #1 from Damien Miller <djm at mindrot.org> ---
sshd can't really do anything to fix this because sshd isn't aware of
stuff beneath the POSIX pwd.h API.
One thing you can do is to ban usernames in non-standard forms using
more Match rules, e.g.
> Match user *\\*
> RefuseConnection yes
Ideally your NSS configuration (or whatever you're using to connect to
AD) would have an option to only accept names in a canonical form. sshd
is not the only software that can get bitten by this.
--
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.
More information about the openssh-bugs
mailing list