Hi, On Wed, Nov 27, 2024 at 04:54:39PM +0100, Marc Haber wrote: > Can you outline an attack/failure scenario?
On the failure side, I did a few tests and noticed that on Debian 12 if I create a user with for example é in their username then I can log in by SSH as long as that é is encoded the same way: as utf-8 0xC3 0xA9. But if that é is made of the combining characters 0x65 0xCC 0x81 (as that one just was) then that's not the same user even if it looks the same. Upon login, the logs from sshd contain the escaped bytes but the logs from PAM and systemd-logind are in utf-8: 2024-11-23T00:35:37.743827+00:00 arran sshd[1903006]: Accepted password for h\303\251llo from 200:d0e9:8d97:72fe:69af:eb63:7e9e:1f07 port 37396 ssh2 2024-11-23T00:35:37.744825+00:00 arran sshd[1903006]: pam_unix(sshd:session): session opened for user héllo(uid=1001) by (uid=0) So, anything which parses usernames out of logs will need to be aware of that. Thanks, Andy
