Bug 2423900

Summary: Password authentication fails
Product: [Fedora] Fedora Reporter: Alexey Tikhonov <atikhono>
Component: opensshAssignee: Zoltan Fridrich <zfridric>
Status: CLOSED ERRATA QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: unspecified    
Version: rawhideCC: abokovoy, crypto-team, dbelyavs, dwalsh, frenaud, jjelen, lkundrak, mattias.ellert, sbose, spoore, tm, zfridric
Target Milestone: ---Flags: zfridric: needinfo-
fedora-admin-xmlrpc: mirror+
Target Release: ---   
Hardware: Unspecified   
OS: Linux   
Whiteboard:
Fixed In Version: openssh-10.2p1-3.fc44 openssh-10.2p1-3.fc45 Doc Type: ---
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2026-02-17 12:12:44 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Alexey Tikhonov 2025-12-19 15:47:28 UTC
Some of automated SSSD tests started to fail very recently.

Symptoms are as follows:
 - test executes:
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -o NumberOfPasswordPrompts=1 -l TESTUSER localhost
```
 - enters password
 - and gets in response:
```
TESTUSER@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
```

In systemd journal it looks like:
```
sshd-session[665010]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=TESTUSER
sshd-session[665010]: Failed password for TESTUSER from ::1 port 59358 ssh2
```

SSSD own logs look sane - auth succeeds.

Timing hints this might be related with recent rebase:
https://src.fedoraproject.org/rpms/openssh/c/be36f8dbd60f4d2e7e1e8b21c615a615f1182f84?branch=rawhide

```
# rpm -q openssh
openssh-10.2p1-1.fc44.x86_64
```

Reproducible: Always

Comment 4 Alexander Bokovoy 2026-01-13 12:14:09 UTC
I think the code that Marco added upstream (git commit 140bae1df2b7246bb43439d039bf994159973585) should instead use a second call to `getpwnam()`, e.g. `getpwnam(pam_user)`, and then compare pw->uid with the authctxt->pw->uid. This way we don't care whether the PAM stack changed the name by normalization, as long as this gets to the same POSIX account.

Comment 5 Zoltan Fridrich 2026-02-16 14:10:26 UTC
@atikhono I implemented the change that Alexander Bokovoy suggested. Seems to work, however I am not sure if my reproducer is correct. I was using similar reproducer as for https://bugzilla.mindrot.org/show_bug.cgi?id=3853.

Here is the proposed patch: https://src.fedoraproject.org/rpms/openssh/pull-request/105#
scratch build should be present under the MR but here is one that I made https://koji.fedoraproject.org/koji/taskinfo?taskID=142383168
Could you please test the change?

Comment 6 Alexey Tikhonov 2026-02-16 14:45:05 UTC
@zfridric, do you have a copr repo?

Comment 7 Zoltan Fridrich 2026-02-16 14:57:39 UTC
(In reply to Alexey Tikhonov from comment #6)
> @zfridric, do you have a copr repo?

I don't.

Comment 9 Fedora Update System 2026-02-17 10:18:01 UTC
FEDORA-2026-e0777ae202 (openssh-10.2p1-3.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e0777ae202

Comment 10 Fedora Update System 2026-02-17 10:20:50 UTC
FEDORA-2026-63e3fa9387 (openssh-10.2p1-3.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-63e3fa9387

Comment 11 Fedora Update System 2026-02-17 12:12:44 UTC
FEDORA-2026-e0777ae202 (openssh-10.2p1-3.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.

Comment 12 Fedora Update System 2026-02-17 12:24:50 UTC
FEDORA-2026-63e3fa9387 (openssh-10.2p1-3.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.