Fwd: [patch] new sshd_config directive CanonicalMatchUser
Zoltan Fridrich
zfridric at redhat.com
Thu Oct 30 23:37:25 AEDT 2025
Hello,
I have worked on a similar issue to [1] for rhel. I have created a patch
that adds an sshd_config directive "CanonicalMatchUser" that makes sshd
attempt to obtain a canonical username from a password database instead of
directly using a user provided username, which could be an alias, in which
case the Match User condition in sshd_config would not evaluate to true
even though the user is able to authenticate. This option would be
especially useful for AD and LDAP users where capitalizing letters in
username fails Match User condition.
I am attaching a patch with the change which I have also filed upstream [2].
Kind regards,
Zoltan
[1] https://bugzilla.mindrot.org/show_bug.cgi?id=3853#c1
[2] https://github.com/openssh/openssh-portable/pull/604
-------------- next part --------------
A non-text attachment was scrubbed...
Name: openssh-canonical-match-user.patch
Type: application/x-patch
Size: 5061 bytes
Desc: not available
URL: <http://lists.mindrot.org/pipermail/openssh-unix-dev/attachments/20251030/82720cde/attachment.bin>
More information about the openssh-unix-dev
mailing list