[OpenSSH] AuthorizedKeysFile and winbind

A tale about OpenSSH, "winbound" users and the %u variable expansion.

(Tested on Debian 13 Trixie)

Quick note about something I spent waaaaayyyyy too long figuring out.

Let's imagine you want to have some form of central management for AuthorizedKeysFile, so you configure OpenSSH like that:

AuthorizedKeysFile /etc/ssh/keys/%u

And then you users actually come from an Active Directory domain, so you have winbind, who will give you usernames like DOMAIN\johndoe.

Well, the %u will actually be expanded by OpenSSH as DOMAINjohndoe  (notice the missing slash) for the purposes of SSH login, even if the user actually only logs-in as johndoe.

Meanwhile, pam_ssh_agent_auth (PAM module which allow, for example, pseudo password-less sudo) will actually expand %u to DOMAIN\johndoe.