For the benefit of those finding these two strings in ssh audit logs.
$ decode() {
for n in $(echo "$1" | sed -r 's-..-& -g') ; do
echo -ne '\x'$n
done
echo
}
$ decode 28756E6B6E6F776E207573657229
(unknown user)
$ decode 28696E76616C6964207573657229
(invalid user)
$
I can readily understand the desire to not present questionable usernames directly in audit log entries in order to prevent various injection attacks in viewing environments, and doing so by either hex-encoding the username, or replacing it with unknown or invalid, but doing both doesn’t seem to make much sense.