openssh bugs - Jul 2025 - [Bug 3853] New: Potential Match User block evasion for kerberos realm users

https://bugzilla.mindrot.org/show_bug.cgi?id=3853

            Bug ID: 3853
           Summary: Potential Match User block evasion for kerberos realm
                    users
           Product: Portable OpenSSH
           Version: 10.0p2
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P5
         Component: sshd
          Assignee: unassigned-bugs at mindrot.org
          Reporter: zlatistiv at gmail.com

I have a Linux server joined in Microsoft Active Directory

I have enforced only lowercase letters for usernames through PAM to
avoid the pitfall where due to the case-insensitivity of AD the "Match
User" block can be skipped,
which from what I've read is expected and is not an issue of openssh,
but there seems to be 1 more tricky condition, 
which is when the user precedes their username with the domain, as in
"ssh <domain>\\<username>@<server name>"

Doing this, their username will not match the "Match User" block.

I'm not completely sure whether this is expected behavior or not, but
backslashes are not valid for unix usernames, so perhaps the preceding
<domain>\\ should be ignored?

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

https://bugzilla.mindrot.org/show_bug.cgi?id=3853

Damien Miller <djm at mindrot.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |djm at mindrot.org

--- Comment #1 from Damien Miller <djm at mindrot.org> ---
sshd can't really do anything to fix this because sshd isn't aware of
stuff beneath the POSIX pwd.h API.

One thing you can do is to ban usernames in non-standard forms using
more Match rules, e.g.
> Match user *\\*
>    RefuseConnection yes
Ideally your NSS configuration (or whatever you're using to connect to
AD) would have an option to only accept names in a canonical form. sshd
is not the only software that can get bitten by this.

-- 
You are receiving this mail because:
You are watching the assignee of the bug.
You are watching someone on the CC list of the bug.