nixos/sshServe: strange behavior when users.mutableUsers is used

[qbit]

Nixpkgs version

• Stable (24.11)

Describe the bug

When users.mutableUsers is true and services.openssh.settings.UsePAM is false I am unable to ssh into the sshServe service but only on first boot, if I boot and update to the same revision I am currently running I am able to ssh in.

Turning on UsePAM seems to make it work in either situation.

Mar 18 17:42:46 pwntie sshd-session[2058]: User nix-ssh not allowed because account is locked
Mar 18 17:42:46 pwntie sshd-session[2058]: Connection closed by invalid user nix-ssh 10.6.0.224 port 36504 [preauth]

.... REBUILD INTO CURRENT REVISION ....

Mar 18 17:48:20 pwntie sshd-session[2860]: Accepted publickey for nix-ssh from 10.6.0.224 port 57488 ssh2: ED25519 SHA256:7jSyKphBUFOqPEyzIuGkcdOMmQsV3fIFLdDREFEw4vg
Mar 18 17:48:20 pwntie nix-daemon[2866]: accepted connection from pid 2863, user nix-ssh

Steps to reproduce

{ config }:
{
  config = {
    nix.sshServe = {
      enable = true;
      keys = [
        "...."
      ];
    };
    services = {
      openssh.settings.UsePAM = false;
    };
  };

Expected behaviour

I expect the ssh behavior to be the same on first boot as it is after switching to the revision I am already on. Or an error if the configuration isn not supported.

Screenshots

No response

Relevant log output

Additional context

No response

System metadata

• system: "x86_64-linux"
• host os: Linux 6.13.7, XinOS, 24.11 (Vicuna), 24.11.20250318.da04445
• multi-user?: yes
• sandbox: yes
• version: nix-env (Lix, like Nix) 2.91.1 System type: x86_64-linux Additional system types: aarch64-linux, armv6l-linux, i686-linux, riscv64-linux Features: gc, signed-caches System configuration file: /etc/nix/nix.conf User configuration files: /root/.config/nix/nix.conf:/etc/xdg/nix/nix.conf:/.config/guix/current/etc/xdg/nix/nix.conf:/root/.guix-home/profile/etc/xdg/nix/nix.conf:/root/.guix-profile/etc/xdg/nix/nix.conf:/root/.nix-profile/etc/xdg/nix/nix.conf:/nix/profile/etc/xdg/nix/nix.conf:/root/.local/state/nix/profile/etc/xdg/nix/nix.conf:/etc/profiles/per-user/root/etc/xdg/nix/nix.conf:/nix/var/nix/profiles/default/etc/xdg/nix/nix.conf:/run/current-system/sw/etc/xdg/nix/nix.conf Store directory: /nix/store State directory: /nix/var/nix Data directory: /nix/store/riqr33jgc60nsk8w2d0blq17y8skp0yn-lix-2.91.1/share
• nixpkgs: /nix/store/s3bhg6p26cqi1hm2lamjjdwaiq49g2hn-source

Notify maintainers

---

Note for maintainers: Please tag this issue in your pull request description. (i.e. Resolves #ISSUE.)

I assert that this issue is relevant for Nixpkgs

• I assert that this is a bug and not a support request.
• I assert that this is not a duplicate of an existing issue.
• I assert that I have read the NixOS Code of Conduct and agree to abide by it.

Is this issue important to you?

Add a 👍 reaction to issues you find important.