Applies To:All versions of Centrify DirectControl
Problem:Users are denied access when trying to login via SSH. The following message is seen in the ssh debug logs:
User <user_name> not allowed because none of user's groups are listed in AllowGroups
Cause:OpenSSH’s configuration file is sshd_config. If using Centrify-Enabled OpenSSH, the path is
/etc/centrifydc/ssh/sshd_config.
By default, the
AllowGroups parameter does not exist in sshd_config, but is a valid parameter.
If added in sshd_config with a space-delimited list of groups, SSH login access is restricted to users who are members of the group(s).
AllowGroups <unix_group_1> <unix_group_2> … <unix_group_n>
Not having
AllowGroups parameter in the sshd_config file will allow all users to log in.
Resolution:
Either remove or remark the
AllowGroups parameter in the sshd_config file or add the necessary groups that the AD users are a member to the
AllowGroups parameter of to allow them to login.
After making the changes and saving the sshd_config file, restart the sshd agent for those settings to take affect.
/etc/init.d/centrify-sshd restartNote:See “man sshd_config” for all known parameters.
See also the following KBs:
KB-5452: How to enable debug for PuTTy / SSH clients?KB-1698: Troubleshooting Single Sign On (SSO) issuesKB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?