Hi @graysonwolf,
I'm the reporter of bug
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2150273, which
has the same root cause as this one.
To make it easy to reproduce, I've attached a self-contained
reproduction (ssh-username-repro.zip). It starts from a clean
ubuntu:26.04 and the Dockerfile lists every step, so it also works as a
step list for a clean LXD container. No AD/IPA join needed: the SSSD
proxy provider over /etc/passwd with domain_resolution_order makes a
short name resolve to a fully-qualified canonical name — the same
nss_sss path that triggers the check on joined hosts. Auth itself is
stock pam_unix against the local shadow, so the only thing differing
between pass and fail is the canonicalization.
docker compose up --build -d
docker compose logs -f
# sanity check (must print "testdev@proxytest"):
docker compose exec repro getent passwd testdev
# the test (password: testpw):
ssh -p 2222 testdev@localhost # -> Permission denied
The proof is server-side:
pam_unix(sshd:auth): authentication success ...
debug1: PAM user "testdev" does not match expected "testdev@proxytest"
i.e. PAM auth succeeds, then sshd rejects on the name mismatch.
Commenting out domain_resolution_order and rebuilding makes the
identical login succeed.
Hopefully this makes it easy to confirm the patch actually resolves the
issue, and fingers crossed it becomes available for Resolute soon.
Thanks!
** Attachment added: "ssh-username-repro.zip"
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2151817/+attachment/5978095/+files/ssh-username-repro.zip
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2151817
Title:
SSSD incompatible with OpenSSH ≥10.1p1 PAM username consistency check
when using short names
To manage notifications about this bug go to:
https://bugs.launchpad.net/sssd/+bug/2151817/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
