[Bug 3853] New: Potential Match User block evasion for kerberos realm users

Thu Jul 31 22:54:49 AEST 2025

https://bugzilla.mindrot.org/show_bug.cgi?id=3853

            Bug ID: 3853
           Summary: Potential Match User block evasion for kerberos realm
                    users
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: zlatistiv at gmail.com

I have a Linux server joined in Microsoft Active Directory

I have enforced only lowercase letters for usernames through PAM to
avoid the pitfall where due to the case-insensitivity of AD the "Match
User" block can be skipped,
which from what I've read is expected and is not an issue of openssh,
but there seems to be 1 more tricky condition, 
which is when the user precedes their username with the domain, as in
"ssh <domain>\\<username>@<server name>"

Doing this, their username will not match the "Match User" block.

I'm not completely sure whether this is expected behavior or not, but
backslashes are not valid for unix usernames, so perhaps the preceding
<domain>\\ should be ignored?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.