Public bug reported: Hi,
We encountered a regression since trying Ubuntu 26.04 with our working config authenticating using short names against Active Directory joined hosts. I am letting you know I opened an issue upstream about this https://github.com/SSSD/sssd/issues/8682 ### Findings Since OpenSSH 10.1p1, a strict username consistency check was introduced in PAM authentication: Initial PR : https://github.com/openssh/openssh-portable/pull/521 Commit : https://github.com/openssh/openssh-portable/commit/140bae1df2b7246bb43439d039bf994159973585 This change enforces that the username returned by PAM must exactly match the username provided to sshd. This breaks a common and documented SSSD configuration using Active Directory with short names : ``` [sssd] ... domain_resolution_order = ad.example, domain2.example ... [domain/ad.example] use_fully_qualified_names = False ``` In this setup: - Users authenticate using short names (e.g. `user1`) - SSSD internally canonicalizes identities to fully qualified names (`[email protected]`) - PAM returns the canonical name As a result, OpenSSH rejects authentication due to mismatch with the error `PAM user "user1" does not match expected "[email protected]"` ### Environment - OS: Ubuntu Server 26.04 - OpenSSH: 10.2p1 - SSSD: 2.12 - realmd: 0.17.1 - Directory: Active Directory Working comparison: - Ubuntu Server 24.04 (OpenSSH 9.6p1) ### SSSD configuration ``` [sssd] domains = lab.internal domain_resolution_order = lab.internal [domain/lab.internal] id_provider = ad ad_domain = lab.internal krb5_realm = lab.internal use_fully_qualified_names = False fallback_homedir = /home/%u@%d default_shell = /bin/bash ldap_id_mapping = True cache_credentials = True ``` ### Steps to reproduce 1. Join AD domain via realmd with standard settings 2. Configure sssd for short names with `domain_resolution_order = ad.example` and `use_fully_qualified_names = False` 3. Restart sssd and sshd 4. Attempt SSH login `ssh user1@server` ### Expected result Authentication succeeds using short username (`user1`), consistent with: - `su - user1` - `pamtester sshd user1 authenticate` - `getent passwd user1` ### Actual result Authentication fails with: ``` sshd-session: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=192.168.0.1 sshd-session: debug1: PAM user "user1" does not match expected "[email protected]" sshd-session: debug1: PAM: password authentication failed for user1: User not known to the underlying authentication module sshd-session: Failed password for user1 from 192.168.0.1 port 50308 ssh2 ``` However: - PAM authentication itself succeeds - Authenticating using FQDN `ssh [email protected]@server` succeeds ### Analysis - SSSD canonicalizes `user1` → `[email protected]` - PAM returns canonical username - OpenSSH ≥10.1p1 enforces strict equality between: - requested username - PAM-returned username This creates an incompatibility between: - SSSD name canonicalization - OpenSSH security hardening ### Impact - Breaks SSH login with short usernames - Affects all modern distributions shipping OpenSSH ≥10.1p1 - Forces administrators to apply workarounds, losing functionality This reduces usability and breaks long-standing configurations. ### Workarounds - Set in sssd subdomain section `full_name_format = %1$s` - Or enforce FQDN logins Both are suboptimal in mixed environments. ### Proposed solution SSSD should adapt to OpenSSH’s stricter behavior. ### References - https://lists.mindrot.org/pipermail/openssh-unix-dev/2025-February/041798.html - Shortnames in trusted domains : https://sssd.io/design-pages/shortnames.html - https://github.com/SSSD/sssd/issues/4748 seems similar somehow _Disclaimer: This report was made with the help of AI with my troubleshooting_ ** Affects: sssd Importance: Unknown Status: Unknown ** Affects: sssd (Ubuntu) Importance: Undecided Status: New ** Tags: resolute ** Bug watch added: github.com/SSSD/sssd/issues #8682 https://github.com/SSSD/sssd/issues/8682 ** Also affects: sssd via https://github.com/SSSD/sssd/issues/8682 Importance: Unknown Status: Unknown -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2151817 Title: SSSD incompatible with OpenSSH ≥10.1p1 PAM username consistency check when using short names To manage notifications about this bug go to: https://bugs.launchpad.net/sssd/+bug/2151817/+subscriptions -- ubuntu-bugs mailing list [email protected] https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
