When configuring AD authentication via SSSD on RHEL 7.5 systems, one particularly vexing error occurs during SSH login attempts:
Connection closed by UNKNOWN port 65535
This typically manifests after entering credentials in the format ssh user@domain@host, where authentication appears to proceed but then abruptly terminates.
The /var/log/secure reveals critical clues:
sshd[12752]: pam_krb5[12752]: account checks fail for 'user@domain':
user disallowed by .k5login file for 'user@domain'
sshd[12752]: fatal: Access denied for user user@domain by PAM account
configuration [preauth]
The root cause typically stems from PAM module conflicts. First verify your /etc/sssd/sssd.conf contains proper AD integration:
[domain/your.domain.com]
id_provider = ad
access_provider = ad
ad_server = dc1.your.domain.com
ad_backup_server = dc2.your.domain.com
krb5_realm = YOUR.DOMAIN.COM
krb5_store_password_if_offline = True
cache_credentials = True
Modify /etc/pam.d/sshd to prioritize SSSD:
# Remove or comment problematic krb5 lines
# auth sufficient pam_krb5.so
# account required pam_krb5.so
# Add these lines instead:
auth sufficient pam_sss.so
account [default=bad success=ok user_unknown=ignore] pam_sss.so
Ensure /etc/ssh/sshd_config contains:
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials yes
UsePAM yes
Run these diagnostic commands:
# Verify Kerberos ticket
kinit user@DOMAIN.COM
# Check SSSD status
systemctl status sssd
# Debug PAM interactions
tail -f /var/log/secure /var/log/messages
# Test SSSD directly
sssctl user-checks user@domain
- Restart services in order:
systemctl restart sssd && systemctl restart sshd - Clear cached credentials:
sss_cache -E - Verify time synchronization with AD:
ntpdate -q dc.your.domain.com
When attempting SSH authentication using Active Directory credentials on RHEL 7.5 machines configured with PAM and SSSD, users encounter immediate connection termination after password submission. The error manifests as:
Connection closed by UNKNOWN port 65535
Key log entries from /var/log/secure reveal:
sshd[12752]: pam_krb5[12752]: account checks fail for 'user@domainname': user disallowed by .k5login file
sshd[12752]: fatal: Access denied for user user@domainname by PAM account configuration [preauth]
Before diving into solutions, verify these fundamental requirements:
# Verify SSSD is running
systemctl status sssd
# Check time synchronization with AD
ntpstat
chronyc sources
# Confirm PAM modules
ls -l /etc/pam.d/sshd
The log indicates the primary blocker is PAM's kerberos module rejecting the user due to .k5login restrictions. This typically occurs when:
- The home directory exists but lacks proper permissions
- SSSD isn't properly mapping AD attributes
- PAM's account stack is misconfigured
1. Modify PAM Configuration:
# Edit /etc/pam.d/sshd
# Comment out or remove any existing pam_krb5.so line
# Add these lines after pam_sss.so:
auth sufficient pam_sss.so use_first_pass
account [default=bad success=ok user_unknown=ignore] pam_sss.so
2. Update SSSD Configuration:
# In /etc/sssd/sssd.conf under [domain/YOUR.DOMAIN]
override_homedir = /home/%u
fallback_homedir = /home/%u
ad_gpo_map_deny = sshd
ad_gpo_access_control = permissive
3. Correct Home Directory Permissions:
chmod 711 /home
mkdir -p /home/user
chown user:domain\ users /home/user
chmod 700 /home/user
After making changes:
# Restart services
systemctl restart sssd sshd
# Test authentication
kinit user@DOMAIN
ssh -v user@domainname@hostname
Successful authentication should now complete without the port 65535 error. If issues persist, enable debug logging:
# Add to /etc/ssh/sshd_config
LogLevel DEBUG3
# Add to /etc/sssd/sssd.conf
debug_level = 9
If kerberos continues to cause problems, consider these alternatives:
# In /etc/ssh/sshd_config:
PubkeyAuthentication yes
GSSAPIAuthentication no
PasswordAuthentication yes
ChallengeResponseAuthentication no