https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/562066#M1965 <P>Hi,</P> <P>&nbsp;</P> <P>If we downgrade to 10.1.x, will it work ? please let me know.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Tue, 17 Oct 2023 12:13:45 GMT Bharath_A 2023-10-17T12:13:45Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/547999#M1447 <P>Anyone facing the same issue like us, PAN OS 10.2.3-h4, SSH CLI session got disconnected after we login as user AD auth (User Authentication Successful). Is it bug not yet reported?</P> Mon, 03 Jul 2023 09:18:38 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/547999#M1447 Yoekleng 2023-07-03T09:18:38Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/548187#M1459 <P><SPAN>Hello Yoekleng,</SPAN></P> <P>&nbsp;</P> <P><SPAN>There is a limitation in 10.2 where for security reasons centos have disallowed usernames with numbers only and PANOS depends on that Centos functionality to store usernames for authorization purposes. --&gt;&gt; "Fully numeric usernames and usernames . or .. are also disallowed" is the CentOS behavior change by&nbsp;</SPAN><A href="https://www.webconn.tech/kb/are-all-numeric-usernames-allowed-in-almalinux-8:" target="_blank" rel="noopener nofollow noreferrer" data-aura-rendered-by="8109:0">https://www.webconn.tech/kb/are-all-numeric-usernames-allowed-in-almalinux-8:</A></P> <P>&nbsp;</P> <P><SPAN>Usernames may contain only lower and upper case letters, digits, underscores, or dashes. They can end with a dollar sign. Dashes are not allowed at the beginning of the username. Fully numeric usernames and usernames. or .. are also disallowed. It is not recommended to use usernames beginning with. character as their home directories will be hidden in the ls output. In regular expression terms: [a-zA-Z0-9_.][a-zA-Z0-9_.-]*[$]? --&gt;&gt; There are good reasons to enforce it:</SPAN></P> <P>&nbsp;</P> <P><A href="https://unix.stackexchange.com/questions/287077/why-cant-linux-usernames-begin-with-numbers" target="_blank" rel="noopener nofollow noreferrer" data-aura-rendered-by="8109:0">https://unix.stackexchange.com/questions/287077/why-cant-linux-usernames-begin-with-numbers</A></P> <P>&nbsp;</P> <P><SPAN>So this behavior is per design and functionality. --</SPAN></P> <P>&nbsp;</P> <P><SPAN>&gt;&gt;WORKAROUND: We can add a symbol along with letters to the numbers the Admin Username then works. For example, 12345676890_A</SPAN></P> Wed, 05 Jul 2023 05:46:40 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/548187#M1459 sawjain 2023-07-05T05:46:40Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/562066#M1965 <P>Hi,</P> <P>&nbsp;</P> <P>If we downgrade to 10.1.x, will it work ? please let me know.</P> <P>&nbsp;</P> <P>Regards,</P> <P>&nbsp;</P> Tue, 17 Oct 2023 12:13:45 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/562066#M1965 Bharath_A 2023-10-17T12:13:45Z https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/562854#M1992 <P>Hi Bharath,</P> <P>&nbsp;</P> <P>You can try and test at your end. However, It is not recommended to downgrade since the latest release fixed a bug and vulnerabilities.</P> <P>&nbsp;</P> <P>Best Regards,</P> <P>Yoekleng.</P> Tue, 24 Oct 2023 07:12:05 GMT https://live.paloaltonetworks.com/t5/next-generation-firewall/pan-os-10-2-3-h4-issue-ssh-cli-disconnect-after-user-ad-auth/m-p/562854#M1992 Yoekleng 2023-10-24T07:12:05Z