-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 08/19/2013 01:48 PM, Sophit4 wrote: > Thank you for your response and I accept your explanation. > > Here's why I'm concerned: this particular internal site has SSH > client users who will be confused by an apparent successful > authentication (password accepted without feedback) followed by an > abrupt, uninformative disconnect. > > FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the > following in /etc/pam_ldap.conf on RHEL 6.4 > > pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z > > and the same sshd package, I get the following when the test group > isn't available in the LDAP tree: > > [test-client Desktop]$ ssh test-server *You must be a member of > cn=GoodUsers,ou=x,ou=y,o=z to login.*
This is generally a bad practice, as it gives a potential attacker information about what they need to do in order to gain access. I'd agree that you should at least see "Access denied by server configuration" so you know it's kicking you out on purpose (rather than a bug). Feel free to file an RFE against SSSD about this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.14 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlISWzIACgkQeiVVYja6o6MgHwCdHXbscGnB2XRdxbKjPtHo39Nm bF0An0J2mq1YkYWTg6FHXn2Cn8LxYzK7 =T4Vu -----END PGP SIGNATURE----- _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
