Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >

KB-3705: Cannot login AD user via SSH (not listed in AllowGroups)

Authentication Service ,  

3 March,17 at 09:01 PM

Applies To:

All versions of Centrify DirectControl


Users are denied access when trying to login via SSH. The following message is seen in the ssh debug logs:
User <user_name> not allowed because none of user's groups are listed in AllowGroups


OpenSSH’s configuration file is sshd_config. If using Centrify-Enabled OpenSSH, the path is /etc/centrifydc/ssh/sshd_config.

By default, the AllowGroups parameter does not exist in sshd_config, but is a valid parameter.

If added in sshd_config with a space-delimited list of groups, SSH login access is restricted to users who are members of the group(s).
AllowGroups <unix_group_1> <unix_group_2> … <unix_group_n>

Not having AllowGroups parameter in the sshd_config file will allow all users to log in.

Either remove or remark the AllowGroups parameter in the sshd_config file or add the necessary groups that the AD users are a member to the AllowGroups parameter of to allow them to login.

After making the changes and saving the sshd_config file, restart the sshd agent for those settings to take affect.

/etc/init.d/centrify-sshd restart

See “man sshd_config” for all known parameters.

See also the following KBs:
KB-5452: How to enable debug for PuTTy / SSH clients?
KB-1698: Troubleshooting Single Sign On (SSO) issues
KB-4303: How to troubleshoot SSH Single-Sign-On (SSO) and nested SSO?