On Mon, 2013-08-19 at 13:48 -0400, Sophit4 wrote: > Thank you for your response and I accept your explanation. > > Here's why I'm concerned: this particular internal site has SSH client > users who will be confused by an apparent successful authentication > (password accepted without feedback) followed by an abrupt, > uninformative disconnect. > > > FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the > following in /etc/pam_ldap.conf on RHEL 6.4 > > pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z > > > > and the same sshd package, I get the following when the test group > isn't available in the LDAP tree: > > [test-client Desktop]$ ssh test-server > You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login. > Connection closed by 111.222.123.45 > [test-client Desktop]$
Ok it seem like a message may be returned by pam, can you open a RFE(*) ticket to support this in pam_sss ? If anything can be doen that's where we can do it. > > But when /etc/security/access.conf is configured with precedence > in /etc/pam.d/ files, the disconnect is also abrupt like SSS. > I guess pam_access is not returning messages either. Simo. (*) Request For Enhancement > > > On Mon, Aug 19, 2013 at 8:23 AM, Simo Sorce <[email protected]> wrote: > On Thu, 2013-08-15 at 12:06 -0400, Sophit4 wrote: > > SSH Server is running on a RHEL 6.4 system with version > > sssd-1.9.2-82.7.el6_4.x86_64. > > > > I'm using access_provider = ldap in sssd.conf and > ldap_access_filter = > > memberOf=cn=GoodUsers,ou=x,ou=y,o=z > > > > > > This is working as intended but remote ssh users not in > group > > GoodUsers are simply disconnected with no error message > after > > successfully authenticating via authorized_keys or LDAP > password. > > > > > > Is there a way to better inform the end user the general > reason for > > the disconnect? > > > > I do not think SSH will allow you to do that. The author sees > dropping > any further communication as soon as the user is denied as a > security > feature I believe. > > They do the same on password changes. > > Simo. > > > > Current behavior: > > > > > > [usr1@test-client Desktop]$ ssh test-server > > Connection closed by 192.168.1.22 > > > > [root@test-server ~]# tail -1 /var/log/secure > > > > Aug 15 11:40:20 test-server sshd[5562]: fatal: Access denied > for user > > usr1 by PAM account configuration > > > > > > > > Thanks in advance. > > > > > _______________________________________________ > > sssd-devel mailing list > > [email protected] > > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > -- > Simo Sorce * Red Hat, Inc * New York > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel > > > _______________________________________________ > sssd-devel mailing list > [email protected] > https://lists.fedorahosted.org/mailman/listinfo/sssd-devel -- Simo Sorce * Red Hat, Inc * New York _______________________________________________ sssd-devel mailing list [email protected] https://lists.fedorahosted.org/mailman/listinfo/sssd-devel
