(re-adding openssh-unix-dev) On Mon, Feb 13, 2017 at 6:18 PM, Andrey Klimentev <andrei650816@xxxxxxxxx> wrote: > Thank you for a quick response. > > Indeed, it looks like the OpenSSH client sends it as a string: debug1: > Authenticating to jump1-m.vt.ru:22 as '\321\205' Well that's also passed through the same escaping in log.c. > PAM module has no problem with interpreting that value, though. Here is a > full auth.log: > > Feb 13 09:01:02 jump1 sshd[31722]: Invalid user \321\205 from 192.168.54.109 This one is encoded as expected. > Feb 13 09:01:02 jump1 sshd[31722]: input_userauth_request: invalid user > \\321\\205 [preauth] This one is double encoded for some reason. What version of sshd are you using? > Feb 13 09:01:06 jump1 sshd[31722]: Failed password for invalid user \321\205 > from 192.168.54.109 port 43826 ssh2 This one is also as expected. Anyway, that value is $ perl -le 'printf "%x %x\n", 0321, 0205' d1 85 which seems to be the UTF8 encoding of U+0445: http://www.fileformat.info/info/unicode/char/0445/index.htm > Naturally, the question now arises: how does a client encode it and why does > PAM correctly decode it and write it to the syslog properly? With the exception of one instance of double-encoding in the logging, it seems to be doing what you'd expect. -- Darren Tucker (dtucker at zip.com.au) GPG key 11EAA6FA / A86E 3E07 5B19 5880 E860 37F4 9357 ECEF 11EA A6FA (new) Good judgement comes with experience. Unfortunately, the experience usually comes from bad judgement. _______________________________________________ openssh-unix-dev mailing list openssh-unix-dev@xxxxxxxxxxx https://lists.mindrot.org/mailman/listinfo/openssh-unix-dev