[Bug 3955] SSH fails on IPA-joined systems when logging in with an alternative UPN suffix
bugzilla-daemon at mindrot.org
bugzilla-daemon at mindrot.org
Sat Apr 25 06:20:05 AEST 2026
https://bugzilla.mindrot.org/show_bug.cgi?id=3955
--- Comment #1 from Christoph Fiehe <c.fiehe at eurodata.de> ---
Would it be possible to modify the code with something like this
diff --git a/auth-pam.c b/auth-pam.c
index 2c8a7a2e..c0d4a9c3 100644
--- a/auth-pam.c
+++ b/auth-pam.c
@@ -1547,6 +1547,18 @@ check_pam_user(Authctxt *authctxt)
if (strcmp(sshpam_initial_user, pam_user) != 0) {
+ /* Allow aliasing if both names resolve to the same UID
*/
+ struct passwd *pw_pam = NULL;
+
+ if (authctxt->pw != NULL &&
+ (pw_pam = getpwnam(pam_user)) != NULL &&
+ pw_pam->pw_uid == authctxt->pw->pw_uid) {
+ debug_f("PAM user \"%s\" differs from previous
\"%s\" "
+ "but resolves to same uid %lu; allowing",
+ pam_user, sshpam_initial_user,
+ (u_long)authctxt->pw->pw_uid);
+ return PAM_SUCCESS;
+ }
error_f("PAM user \"%s\" does not match previous \"%s\"",
pam_user, sshpam_initial_user);
return PAM_USER_UNKNOWN;
}
What do you think?
--
You are receiving this mail because:
You are watching the assignee of the bug.
More information about the openssh-bugs
mailing list