Public bug reported:
After upgrading an AD-joined host from Ubuntu 24.04 to Ubuntu 26.04, SSH
password authentication with a short AD username fails, while the fully
qualified username (user@domain) succeeds. Interactive local logon still
works. The same or equivalent SSSD configuration works on older Ubuntu
hosts. This appears to be a regression in the newer Ubuntu stack at the
OpenSSH ↔ PAM/SSSD username canonicalization boundary.
Affected host:
Ubuntu 26.04
- openssh-server 1:10.2p1-2ubuntu3.2
- openssh-client 1:10.2p1-2ubuntu3.2
- sssd 2.12.0-1ubuntu5.1
- sssd-ad 2.12.0-1ubuntu5.1
- sssd-common 2.12.0-1ubuntu5.1
- libpam-sss 2.12.0-1ubuntu5.1
- libnss-sss 2.12.0-1ubuntu5.1
Working comparison hosts:
Ubuntu 22.04 host with:
- openssh-server 1:8.9p1-3ubuntu0.15
- sssd 2.6.3-1ubuntu3.6
- The same behavior also reportedly worked on Ubuntu 24.04 before the upgrade
SSSD config on both old and new hosts includes:
default_domain_suffix = domain
use_fully_qualified_names = True
The host is AD-joined and uses SSSD for NSS/PAM.
---------------
Expected result
---------------
SSH password login with a short AD username should work as it did before the
upgrade, e.g.:
ssh user@host
This is especially expected because:
- NSS resolves the short name correctly
- SSSD’s PAM responder maps the short name to the same AD identity
- Older Ubuntu hosts with the same basic SSSD settings allow this behavior
---------------
Actual result
---------------
Short-name SSH fails on Ubuntu 26.04:
ssh user@host
# Permission denied
But the fully qualified username succeeds:
ssh 'user@domain'@host
# success
---------------
Key observations
---------------
1) NSS resolves the short name successfully
Both commands return the same account entry:
getent passwd user
getent passwd 'user@domain'
2) The SSSD PAM responder accepts and canonicalizes the short name
/var/log/sssd/sssd_pam.log on the failing 26.04 host shows:
- name received as "user"
- default domain applied ("domain")
- lookup performed as "user@domain"
- authentication returns success
3) sshd on the failing 26.04 host rejects the short-name login after PAM
canonicalization
sshd -ddd on the failing host shows:
PAM user "user" does not match expected "user@domain"
PAM: password authentication failed for "user": User not known to the
underlying authentication module
4) Equivalent short-name SSH works on the older Ubuntu host
PAM: password authentication accepted for "user"
Accepted password for "user" ...
The session environment still ends up fully qualified there, e.g.:
USER=user@domain
LOGNAME=user@domain
---------------
Suspected regression
---------------
Likely regression or behavior change in the Ubuntu 26.04 stack involving one of:
- OpenSSH 10.2 PAM username handling
- pam_sss / SSSD 2.12 canonical username return behavior
- Stricter mismatch handling between the originally requested SSH username and
the canonical identity returned by PAM/SSSD
I did not test any Ubuntu releases between 24.04 and 26.04, so this may
have been introduced somewhere in between rather than specifically in
Ubuntu 26.04 itself.
---------------
Workaround
---------------
Use the fully qualified username explicitly for SSH on affected hosts:
ssh 'user@domain'@host
ProblemType: Bug
DistroRelease: Ubuntu 26.04
Package: openssh-server 1:10.2p1-2ubuntu3.2
ProcVersionSignature: Ubuntu 7.0.0-22.22-generic 7.0.0
Uname: Linux 7.0.0-22-generic x86_64
ApportVersion: 2.34.0-0ubuntu2
Architecture: amd64
CasperMD5CheckResult: pass
CloudArchitecture: x86_64
CloudID: none
CloudName: none
CloudPlatform: none
CloudSubPlatform: config
Date: Wed Jun 10 07:27:11 2026
InstallationDate: Installed on 2022-02-15 (1576 days ago)
InstallationMedia: Ubuntu-Server 20.04.3 LTS "Focal Fossa" - Release amd64
(20210824)
ProcEnviron:
LANG=en_US.UTF-8
PATH=(custom, user)
SHELL=/bin/bash
TERM=xterm-256color
XDG_RUNTIME_DIR=<set>
SSHDConfig: Error: command ['/usr/sbin/sshd', '-T'] failed with exit code 1:
sshd: no hostkeys available -- exiting.
SourcePackage: openssh
UpgradeStatus: Upgraded to resolute on 2026-06-09 (1 days ago)
** Affects: openssh (Ubuntu)
Importance: Undecided
Status: New
** Tags: amd64 apport-bug resolute
--
You received this bug notification because you are a member of Ubuntu
Bugs, which is subscribed to Ubuntu.
https://bugs.launchpad.net/bugs/2156330
Title:
Ubuntu 26.04 regression: AD short-name SSH password login fails after
SSSD canonicalizes user to FQ name, while FQ login succeeds
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/openssh/+bug/2156330/+subscriptions
--
ubuntu-bugs mailing list
[email protected]
https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
