{ "version": "https://jsonfeed.org/version/1", "title": "Random tech stuff", "description": "", "home_page_url": "https://blog.antonin.verrier.eu", "feed_url": "https://blog.antonin.verrier.eu/feed.json", "user_comment": "", "author": { "name": "Antonin Verrier" }, "items": [ { "id": "https://blog.antonin.verrier.eu/openssh-authorizedkeysfile-and-winbind/", "url": "https://blog.antonin.verrier.eu/openssh-authorizedkeysfile-and-winbind/", "title": "[OpenSSH] AuthorizedKeysFile and winbind", "summary": "

A tale about OpenSSH, \"winbound\" users and the %u variable expansion.

\n", "content_html": "

A tale about OpenSSH, \"winbound\" users and the %u variable expansion.

\n
\n

(Tested on Debian 13 Trixie)

\n

Quick note about something I spent waaaaayyyyy too long figuring out.

\n

Let's imagine you want to have some form of central management for AuthorizedKeysFile, so you configure OpenSSH like that:

\n

AuthorizedKeysFile /etc/ssh/keys/%u

\n

And then you users actually come from an Active Directory domain, so you have winbind, who will give you usernames like DOMAIN\\johndoe.

\n

Well, the %u will actually be expanded by OpenSSH as DOMAINjohndoe  (notice the missing slash) for the purposes of SSH login, even if the user actually only logs-in as johndoe.

\n

Meanwhile, pam_ssh_agent_auth (PAM module which allow, for example, pseudo password-less sudo) will actually expand %u to DOMAIN\\johndoe.

", "author": { "name": "Antonin Verrier" }, "tags": [ "sysadmin", "openssh", "opensource", "linux" ], "date_published": "2026-05-11T19:52:15+02:00", "date_modified": "2026-05-11T20:08:00+02:00" }, { "id": "https://blog.antonin.verrier.eu/opnsense-allow-router-to-connect-across-ipsec-tunnel/", "url": "https://blog.antonin.verrier.eu/opnsense-allow-router-to-connect-across-ipsec-tunnel/", "title": "[OpnSense] allow router to connect across IPSec tunnel", "summary": "

A bit on OpnSense IPSec tunneling and the routing config that should probably have been on by default.

\n", "content_html": "

A bit on OpnSense IPSec tunneling and the routing config that should probably have been on by default.

\n
\n

(Tested on OpnSense 26.1)

\n

When setting up an IPSec tunnel in OpenSense, by default, the tunnel will not be used to to access remote hosts by services running on the firewall host itself (eg. : LDAP for auth, syslog, etc.)

\n

To allow services running on OpenSense to use the tunnel:

\n
    \n
  1. Create a gateway (System > Gateways > Configuration), bind it to the LAN interface, with the LAN IP as the gateway IP
    \"gateway
    2. \n
  2. Create a route (System > Routes > Configuration) for the remote subnet and bind it to the gateway you just created
    \"Route
    3. \n
\n

That's it!

", "author": { "name": "Antonin Verrier" }, "tags": [ "opnsense", "opensource", "networking" ], "date_published": "2026-05-11T17:54:55+02:00", "date_modified": "2026-05-11T20:04:30+02:00" } ] }