[Bug 3955] New: SSH fails on IPA-joined systems when logging in with an alternative UPN suffix

bugzilla-daemon at mindrot.org bugzilla-daemon at mindrot.org
Sat Apr 25 05:32:00 AEST 2026 

https://bugzilla.mindrot.org/show_bug.cgi?id=3955

            Bug ID: 3955
           Summary: SSH fails on IPA-joined systems when logging in with
                    an alternative UPN suffix
           Product: Portable OpenSSH
           Version: 10.2p1
          Hardware: amd64
                OS: Windows 11
            Status: NEW
          Severity: major
          Priority: P5
         Component: PAM support
          Assignee: unassigned-bugs at mindrot.org
          Reporter: c.fiehe at eurodata.de

We are facing an issue with the OpenSSH server "OpenSSH_10.2p1
Ubuntu-2ubuntu3, OpenSSL 3.5.5 27 Jan 2026" on Ubuntu 26.04. Our
systems are joined in a FreeIPA-controlled domain "lx.example.com" with
a trust to our Active Directory (AD) "ad.example.com". On Ubuntu 26.04
it is no longer possible to log in via SSH with an alternative UPN
suffix. The debug log gives the following:

Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]:
debug1: kbdint_alloc: devices 'pam' [preauth]
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]:
debug1: auth2_challenge_start: trying authentication method 'pam'
[preauth]
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]:
debug1: PAM user "c.fiehe at ad" does not match expected
"c.fiehe at ad.example.com"
Apr 24 20:58:00 loc-ubuntu-resolute-srv1-test sshd-session[7931]:
fatal: PAM user mismatch

This is the pull request that introduced the issue:
https://github.com/openssh/openssh-portable/pull/521

The check was added for reasons of security, but it makes it impossible
to use alternative UPN suffixes for SSH login. I think it would work
when also the UIDs of both users are compared in case of a user name
difference. That gives us:

root at loc-ubuntu-resolute-srv1-test:~# id -u c.fiehe at ad
1758003903

root at loc-ubuntu-resolute-srv1-test:~# id -u c.fiehe at ad.mycompany.com
1758003903

In that case the PAM user check in the SSH server should not fail
because there are just two different names for the same user.

I have also opened an issue on Launchpad for the new Ubuntu 26.04:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2150273

-- 
You are receiving this mail because:
You are watching the assignee of the bug.

More information about the openssh-bugs mailing list