Bug 2423900 - Password authentication fails
Summary: Password authentication fails
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Fedora
Classification: Fedora
Component: openssh
Version: rawhide
Hardware: Unspecified
OS: Linux
unspecified
medium
Target Milestone: ---
Assignee: Zoltan Fridrich
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2025-12-19 15:47 UTC by Alexey Tikhonov
Modified: 2026-05-11 15:37 UTC (History)
12 users (show)

Fixed In Version: openssh-10.2p1-3.fc44 openssh-10.2p1-3.fc45
Clone Of:
Environment:
Last Closed: 2026-02-17 12:12:44 UTC
Type: ---
Embargoed:
zfridric: needinfo-
fedora-admin-xmlrpc: mirror+

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Issue Tracker FC-2830 0 None None None 2025-12-19 15:50:32 UTC

Description Alexey Tikhonov 2025-12-19 15:47:28 UTC 
Some of automated SSSD tests started to fail very recently.

Symptoms are as follows:
 - test executes:
```
ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -o NumberOfPasswordPrompts=1 -l TESTUSER localhost
```
 - enters password
 - and gets in response:
```
TESTUSER@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive).
```

In systemd journal it looks like:
```
sshd-session[665010]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=TESTUSER
sshd-session[665010]: Failed password for TESTUSER from ::1 port 59358 ssh2
```

SSSD own logs look sane - auth succeeds.

Timing hints this might be related with recent rebase:
https://src.fedoraproject.org/rpms/openssh/c/be36f8dbd60f4d2e7e1e8b21c615a615f1182f84?branch=rawhide

```
# rpm -q openssh
openssh-10.2p1-1.fc44.x86_64
```

Reproducible: Always
Comment 4 Alexander Bokovoy 2026-01-13 12:14:09 UTC 
I think the code that Marco added upstream (git commit 140bae1df2b7246bb43439d039bf994159973585) should instead use a second call to `getpwnam()`, e.g. `getpwnam(pam_user)`, and then compare pw->uid with the authctxt->pw->uid. This way we don't care whether the PAM stack changed the name by normalization, as long as this gets to the same POSIX account.
Comment 5 Zoltan Fridrich 2026-02-16 14:10:26 UTC 
@atikhono I implemented the change that Alexander Bokovoy suggested. Seems to work, however I am not sure if my reproducer is correct. I was using similar reproducer as for https://bugzilla.mindrot.org/show_bug.cgi?id=3853.

Here is the proposed patch: https://src.fedoraproject.org/rpms/openssh/pull-request/105#
scratch build should be present under the MR but here is one that I made https://koji.fedoraproject.org/koji/taskinfo?taskID=142383168
Could you please test the change?
Comment 6 Alexey Tikhonov 2026-02-16 14:45:05 UTC 
@zfridric, do you have a copr repo?
Comment 7 Zoltan Fridrich 2026-02-16 14:57:39 UTC 
(In reply to Alexey Tikhonov from comment #6)
> @zfridric, do you have a copr repo?

I don't.
Comment 9 Fedora Update System 2026-02-17 10:18:01 UTC 
FEDORA-2026-e0777ae202 (openssh-10.2p1-3.fc44) has been submitted as an update to Fedora 44.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-e0777ae202
Comment 10 Fedora Update System 2026-02-17 10:20:50 UTC 
FEDORA-2026-63e3fa9387 (openssh-10.2p1-3.fc45) has been submitted as an update to Fedora 45.
https://bodhi.fedoraproject.org/updates/FEDORA-2026-63e3fa9387
Comment 11 Fedora Update System 2026-02-17 12:12:44 UTC 
FEDORA-2026-e0777ae202 (openssh-10.2p1-3.fc44) has been pushed to the Fedora 44 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 12 Fedora Update System 2026-02-17 12:24:50 UTC 
FEDORA-2026-63e3fa9387 (openssh-10.2p1-3.fc45) has been pushed to the Fedora 45 stable repository.
If problem still persists, please make note of it in this bug report.
Note You need to log in before you can comment on or make changes to this bug.