-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1
On 08/19/2013 01:48 PM, Sophit4 wrote:
Thank you for your response and I accept your explanation.
Here's why I'm concerned: this particular internal site has SSH client users who will be confused by an apparent successful authentication (password accepted without feedback) followed by an abrupt, uninformative disconnect.
FYI, with the pam_ldap-185-11.el6.x86_64 based configured with the following in /etc/pam_ldap.conf on RHEL 6.4
pam_groupdn cn=GoodUsers,ou=x,ou=y,o=z
and the same sshd package, I get the following when the test group isn't available in the LDAP tree:
[test-client Desktop]$ ssh test-server *You must be a member of cn=GoodUsers,ou=x,ou=y,o=z to login.*
This is generally a bad practice, as it gives a potential attacker information about what they need to do in order to gain access. I'd agree that you should at least see "Access denied by server configuration" so you know it's kicking you out on purpose (rather than a bug). Feel free to file an RFE against SSSD about this.