Beta `4515.1.0` and Alpha `4547.0.0` - sssd not working

[defo89]

Description

I am not able to authenticate on nodes with Beta 4515.1.0 and Alpha 4547.0.0 using ldap/sssd (keyboard-interactive).

Environment and steps to reproduce

1. Set-up:

# cat /etc/os-release
NAME="Flatcar Container Linux by Kinvolk"
ID=flatcar
ID_LIKE=coreos
VERSION=4515.1.0
VERSION_ID=4515.1.0
BUILD_ID=2025-12-12-1622
SYSEXT_LEVEL=1.0
PRETTY_NAME="Flatcar Container Linux by Kinvolk 4515.1.0 (Oklo)"
ANSI_COLOR="38;5;75"
HOME_URL="https://flatcar.org/"
BUG_REPORT_URL="https://issues.flatcar.org"
FLATCAR_BOARD="amd64-usr"
CPE_NAME="cpe:2.3:o:flatcar-linux:flatcar_linux:4515.1.0:*:*:*:*:*:*:*"

2. Task: keyboard-interactive login
3. Error:

On the server:

systemd[1]: Started sshd@2-10.1.1.7:22-10.2.2.8:52976.service - OpenSSH per-connection server daemon.
sshd[1298002]: PAM user mismatch
systemd[1]: sshd@2-10.1.1.7:22-10.2.2.8:52976.service: Deactivated successfully.

On the client:

› ssh -v 10.1.1.74
OpenSSH_9.9p2, LibreSSL 3.3.6
debug1: Reading configuration data /HOME/.ssh/config
--snip--
debug1: Authentications that can continue: publickey,keyboard-interactive
debug1: Next authentication method: keyboard-interactive
Connection closed by 10.1.1.74 port 22

Expected behavior

Exact same /etc/pam.d/system-auth and /etc/sssd/sssd.conf config has worked previously.

Additional information

It works right away if I downgrade to the previous beta:

flatcar-update --to-version 4459.1.2 --listen-port-2 9093 && reboot

or current stable:

flatcar-update --to-version 4515.1.0 --listen-port-2 9093 && reboot

[tormath1]

Hello @defo89, thanks for this issue. I know that @krnowak did some work on the SSSD side some times ago: flatcar/scripts#3478, could it be linked?

[defo89]

Update from the last release:

• Stable 4459.2.3 -> still works
• Beta 4547.1.0 -> still broken

[tormath1]

Hello @defo89 and thanks for raising this before it reaches stable.

Any chance to get some logs from journalctl --no-pager -o cat -u sssd.service? There are some bumps of version between stable and beta on the pam / sssd side. This could be related.

[s10]

I believe this problem might be partially caused by the following PRs:
flatcar/baselayout#38 + flatcar/scripts#1706

sssd flag is not set for sys-auth/pambase, see https://github.com/flatcar/scripts/blame/da64407a23edc165eca725670e376ad09d90b487/sdk_container/src/third_party/coreos-overlay/profiles/coreos/base/package.use#L196

/usr/lib/pam/system-auth before:

auth		required	pam_env.so
auth		requisite	pam_faillock.so preauth deny=5 unlock_time=60 fail_interval=120
auth		sufficient	pam_unix.so try_first_pass likeauth nullok
auth		sufficient	pam_sss.so use_first_pass
auth		[default=die]	pam_faillock.so authfail deny=5 unlock_time=60 fail_interval=120
auth		required	pam_deny.so

account		required	pam_unix.so
# Don't fail if the user is unknown to sssd or if sssd isn't running
account		required	pam_sss.so ignore_unknown_user ignore_authinfo_unavail
account		required	pam_faillock.so
account		optional	pam_permit.so

password	sufficient	pam_unix.so try_first_pass nullok sha512 shadow minlen=8
password	sufficient	pam_sss.so use_authtok
password	required	pam_deny.so

session		required	pam_limits.so
session		required	pam_env.so
session		required	pam_unix.so
session		optional	pam_permit.so
session		optional	pam_sss.so
-session        optional        pam_systemd.so

/usr/lib/pam/system-auth after:

auth		required	pam_env.so
# FLATCAR: Added deny, unlock_time and fail_interval to override defaults.
auth		requisite	pam_faillock.so preauth preauth deny=5 unlock_time=60 fail_interval=120
auth		[success=1 new_authtok_reqd=1 ignore=ignore default=bad]	pam_unix.so nullok  try_first_pass
auth		[default=die]	pam_faillock.so authfail
account		required	pam_unix.so
account		required	pam_faillock.so
password	required	pam_unix.so try_first_pass shadow  nullok sha512
session		required	pam_limits.so
session		required	pam_env.so
session		optional	pam_umask.so silent
session		required	pam_unix.so

Another issue is that since OpenSSH 10.1 it is incompatible with sssd.conf case_sensitive = false option because of the openssh/openssh-portable@140bae1
With case-sensitive set to false it was possible to authenticate as user123 for User123.

* [sshd(8)](https://man.openbsd.org/sshd.8): check the username didn't change during the PAM
   transactions.

   PAM modules can change the user during their execution, but
   this is not supported by [sshd(8)](https://man.openbsd.org/sshd.8). If such a case was incorrectly
   configured by the system administrator, then [sshd(8)](https://man.openbsd.org/sshd.8) could end up
   using a different username to the one authorised by PAM.

[tormath1]

Thanks @s10 for this. I've just been able to reproduce the issue with a local LDAP service and I've came to the same conclusion regarding the missing pam_sss PAM modules.

Let's build an image with the sssd useflag being enabled to see if we can get back to a more proper system-auth configuration.