Thank you for your response and I accept your explanation.

Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.

FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4

pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z

and the same sshd package, I get the following when the test group isn't available in the LDAP tree:

[test-client Desktop]$ ssh test-server
You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login.
Connection closed by 111.222.123.45
[test-client Desktop]$

But when /etc/security/access.conf is configured with precedence in /etc/pam.d/ files, the disconnect is also abrupt like SSS.



On Mon, Aug 19, 2013 at 8:23 AM, Simo Sorce <simo@redhat.com> wrote:
On Thu, 2013-08-15 at 12:06 -0400, Sophit4 wrote:
> SSH Server is running on a RHEL 6.4 system with version
> sssd-1.9.2-82.7.el6_4.x86_64.
>
> I'm using access_provider = ldap in sssd.conf and ldap_access_filter =
> memberOf=cn=GoodUsers,ou=x,ou=y,o=z
>
>
> This is working as intended but remote ssh users not in group
> GoodUsers are simply disconnected with no error message after
> successfully authenticating via authorized_keys or LDAP password.
>
>
> Is there a way to better inform the end user the general reason for
> the disconnect?


I do not think SSH will allow you to do that. The author sees dropping
any further communication as soon as the user is denied as a security
feature I believe.

They do the same on password changes.

Simo.
>
> Current behavior:
>
>
> [usr1@test-client Desktop]$ ssh test-server
> Connection closed by 192.168.1.22
>
> [root@test-server ~]# tail -1 /var/log/secure
>
> Aug 15 11:40:20 test-server sshd[5562]: fatal: Access denied for user
> usr1 by PAM account configuration
>
>
>
> Thanks in advance.
>
> _______________________________________________
> sssd-devel mailing list
> sssd-devel@lists.fedorahosted.org
> https://lists.fedorahosted.org/mailman/listinfo/sssd-devel


--
Simo Sorce * Red Hat, Inc * New York

_______________________________________________
sssd-devel mailing list
sssd-devel@lists.fedorahosted.org
https://lists.fedorahosted.org/mailman/listinfo/sssd-devel