Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-6511: After upgrade to 2016 Centrify DirectControl and Centrify-Enabled OpenSSH, PKI based SSH login fails

Centrify DirectControl ,  

23 June,16 at 03:47 PM

Applies to:

Centrify DirectControl 5.3.0 on All Linux platforms


Question:

After upgrading Centrify DirectControl and Centrify OpenSSH to 5.3.0-208/7.1p1,  
PKI (public-key infrastructure) based ssh login fails even though dzssh-sftp rights are in place on the destination server as shown below.
 
SSH Rights Avail Source Roles

--------------- ----- --------------------

dzssh-sftp Yes sftp/XXXX-YYYY

Role:

sftp/XXXX-YYYY None -FTP

where XXXX-YYYY is the destination SSH server.

Both Centrify OpenSSH client and Centrify Open SSH server use the latest versions.

With previous version of Centrify DirectControl (earlier than 5.3.0) or with stock SSH, PKI works fine for the same rights.

Snippet of the error when ssh –vvvv is run from client to server

debug2: PTY allocation request accepted on channel 0
debug2: channel_input_status_confirm: type 99 id 0
debug2: shell request accepted on channel 0
Received disconnect from x.x.x.x: 2: dzssh-shell access denied.
Disconnected from x.x.x.x


Snippet of Centrify Debug Log

Mar 8 06:42:55 XXX-YYYY adclient[14854]: DEBUG <fd:29 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: dzssh-shell
Mar 8 06:42:55 XXX-YYYY adclient[14854]: DEBUG <fd:29 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: 10.10.1.87
Mar 8 06:42:55 XXX-YYYY adclient[14854]: DEBUG <fd:29 ATProxySetAuditTrailEvent > daemon.ipcclient2 UTF8STRING: didn't pass sam checking, user is not allowed to use this service




Answer:

For the destination SSH server, add the built-in dzssh-shell (Terminal tty/pty)  right to the role in Centrify Access Manager and confirm by running dzinfo on the destination server. It should work fine.

 

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.

Related Articles

No related Articles