Secure shell rights require PAM access rights
Before you configure any specific secure shell rights, you should also identify the PAM access right to use. The predefined PAM access right sshd—or ssh for Ubuntu computers—grants users permission to log on and use all secure shell services on Centrify-managed computers. You must grant the sshd, ssh, login-all, or a custom PAM access right before you can use any secure shell (SSH) rights to restrict access to specific services.
The SSH access rights only work in conjunction with the PAM access right that allows a user to log on using a secure shell session. If a user is not assigned to a role that grants the PAM access right to log on using a secure shell, SSH rights are ignored.
When a user attempts to log on using a secure shell session, adclient first verifies that at least one role in effect for the user has the PAM access right that allows him too log on using SSH. If a PAM access right is in effect, adclient checks to see which specific SSH rights the user has before allowing or denying the action the user is attempting.