** Description changed:
+ [ Impact ]
+
+ * OpenSSH 10.1p1 added a PAM username-consistency check to stop a PAM
+ module from switching the authenticated identity. Some PAM modules
+ however legitimately canonicalize the login name. Currently those logins
+ get rejected and SSH login is not possible.
+
+ * The proposed fix keeps the security fix but changes the comparison
+ from a string comparison of the login name to a comparison of the uids.
+ I also kept the string comparison (which Fedora removed) to keep the
+ happy path fast and reliable and to not always call getpwnam.
+
+ [ Test Plan ]
+
+ * (The following assumes a new Ubuntu container, like lxc launch
+ ubuntu:26.04 sru-test)
+
+ * apt-get update && apt-get install -y gcc libpam0g-dev
+
+ * useradd -u 4000 -m alice
+
+ * useradd -o -u 4000 -M alice-alt
+
+ * Create and compile a minimal PAM module
+ cat > /tmp/pam_alias.c <<EOF
+ #include <security/pam_modules.h>
+ int pam_sm_authenticate(pam_handle_t *p, int f, int c, const char **v)
+ { if (c) pam_set_item(p, PAM_USER, v[0]); return PAM_SUCCESS; }
+ int pam_sm_setcred(pam_handle_t *p, int f, int c, const char **v)
+ { return PAM_SUCCESS; }
+ EOF
+ PAMDIR=$(dirname "$(dpkg -L libpam-modules | grep -m1
'/security/pam_unix.so$')")
+ gcc -fPIC -shared -o "$PAMDIR/pam_alias.so" /tmp/pam_alias.c
+
+ * Open /etc/pam.d/sshd and add "auth sufficient pam_alias.so alice-alt"
+ at the top (without the quotes)
+
+ * Enable keyboard-interactive auth: echo 'KbdInteractiveAuthentication
+ yes' > /etc/ssh/sshd_config.d/repro.conf
+
+ * Restart ssh: systemctl restart ssh
+
+ * Test that ssh authentication aucceeds: ssh -o StrictHostKeyChecking=no -o
UserKnownHostsFile=/dev/null \
+ -o PreferredAuthentications=keyboard-interactive \
+ [email protected] true
+
+ [ Where problems could occur ]
+
+ * The changes is completely confined to PAM auth. If the change is
+ incorrect, regressions could occur and PAM logins could start behaving
+ wrongly.
+
+ * In the worst case, if the uid check is incorrect a security
+ regression could occur and a PAM module that switches the session to a
+ different account could be wrongly accepted.
+
+ * The extra lookup adds some latency and the expectation of NSS being
+ available during PAM auth. Keeping the string comparison as done by my
+ fix should eliminate this issue as much as possible.
+
+ * This both shows the SRU team that the risks have been considered,
+ and provides guidance to testers in regression-testing the SRU.
+
+ [ Other Info ]
+
+ * The proposed patch is largely based off the Fedora patch
+ (https://src.fedoraproject.org/rpms/openssh/pull-request/105) with the
+ addition of keeping the string comparison.
+
+ * Upstream has not acknowledged the bug or proposed a fix
+
+ ---
+
We are facing an issue with the OpenSSH server "OpenSSH_10.2p1
Ubuntu-2ubuntu3, OpenSSL 3.5.5 27 Jan 2026" on Ubuntu 26.04. Our systems
are joined in a FreeIPA-controlled domain "lx.example.com" with a trust
to our Active Directory (AD) "ad.example.com". On Ubuntu 26.04 it is no
longer possible to log in via SSH with an alternative UPN suffix. The
debug log gives the following:
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]: debug1:
kbdint_alloc: devices 'pam' [preauth]
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]: debug1:
auth2_challenge_start: trying authentication method 'pam' [preauth]
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]: debug1: PAM
user "c.fiehe@ad" does not match expected "[email protected]"
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]: fatal: PAM
user mismatch
This is the pull request that introduced the issue:
https://github.com/openssh/openssh-portable/pull/521
The check was added for reasons of security, but it makes it impossible
to use alternative UPN suffixes for SSH login. I think it would work
when also the UIDs of both users are compared in case of a user name
difference. That gives us:
root@loc-ubuntu-resolute-srv1-test:~# id -u c.fiehe@ad
1758003903
root@loc-ubuntu-resolute-srv1-test:~# id -u [email protected]
1758003903
In that case the PAM user check in the SSH server should not fail
because there are just two different names for the same user.
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2150273
Title:
SSH fails on IPA-joined systems when logging in with an alternative
UPN suffix
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2150273/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
