[OpenSSH] AuthorizedKeysFile and winbind

2026-05-11T19:52:15+02:00

A tale about OpenSSH, "winbound" users and the %u variable expansion.

(Tested on Debian 13 Trixie)

Quick note about something I spent waaaaayyyyy too long figuring out.

Let's imagine you want to have some form of central management for AuthorizedKeysFile, so you configure OpenSSH like that:

AuthorizedKeysFile /etc/ssh/keys/%u

And then you users actually come from an Active Directory domain, so you have winbind, who will give you usernames like DOMAIN\johndoe.

Well, the %u will actually be expanded by OpenSSH as DOMAINjohndoe (notice the missing slash) for the purposes of SSH login, even if the user actually only logs-in as johndoe.

Meanwhile, pam_ssh_agent_auth (PAM module which allow, for example, pseudo password-less sudo) will actually expand %u to DOMAIN\johndoe.

[OpnSense] allow router to connect across IPSec tunnel

2026-05-11T17:54:55+02:00

A bit on OpnSense IPSec tunneling and the routing config that should probably have been on by default.

(Tested on OpnSense 26.1)

When setting up an IPSec tunnel in OpenSense, by default, the tunnel will not be used to to access remote hosts by services running on the firewall host itself (eg. : LDAP for auth, syslog, etc.)

To allow services running on OpenSense to use the tunnel:

Create a gateway (System > Gateways > Configuration), bind it to the LAN interface, with the LAN IP as the gateway IP
Create a route (System > Routes > Configuration) for the remote subnet and bind it to the gateway you just created

That's it!

Random tech stuff

[OpenSSH] AuthorizedKeysFile and winbind

[OpnSense] allow router to connect across IPSec tunnel