Some of automated SSSD tests started to fail very recently. Symptoms are as follows: - test executes: ``` ssh -o UserKnownHostsFile=/dev/null -o StrictHostKeyChecking=no -o PreferredAuthentications=password -o NumberOfPasswordPrompts=1 -l TESTUSER localhost ``` - enters password - and gets in response: ``` TESTUSER@localhost: Permission denied (publickey,gssapi-keyex,gssapi-with-mic,password,keyboard-interactive). ``` In systemd journal it looks like: ``` sshd-session[665010]: pam_sss(sshd:auth): authentication success; logname= uid=0 euid=0 tty=ssh ruser= rhost=::1 user=TESTUSER sshd-session[665010]: Failed password for TESTUSER from ::1 port 59358 ssh2 ``` SSSD own logs look sane - auth succeeds. Timing hints this might be related with recent rebase: https://src.fedoraproject.org/rpms/openssh/c/be36f8dbd60f4d2e7e1e8b21c615a615f1182f84?branch=rawhide ``` # rpm -q openssh openssh-10.2p1-1.fc44.x86_64 ``` Reproducible: Always
I think the code that Marco added upstream (git commit 140bae1df2b7246bb43439d039bf994159973585) should instead use a second call to `getpwnam()`, e.g. `getpwnam(pam_user)`, and then compare pw->uid with the authctxt->pw->uid. This way we don't care whether the PAM stack changed the name by normalization, as long as this gets to the same POSIX account.