Access denied for a particular user by PAM account configuration

Question

I am trying to setup a passwordless login from machineA to machineB for my user david which already exits. This is what I did to generate the authentication keys:

david@machineA:~$ ssh-keygen -t rsa ........ david@machineB:~$ ssh-keygen -t rsa ........

After that I copied id_rsa.pub (/home/david/.ssh/id_rsa.pub) key of machineA into machineB authorized_keys file (/home/david/.ssh/authorized_keys) key.

And then I went back to machineA login screen and ran below command and it worked fine without any issues. So I was able to login into machineB as david user without asking for any password.

david@machineA:~$ ssh david@machineB

Question:

Now I created a new user on machineA and machineB both by running this command only useradd golden. And now I want to ssh passwordless from this golden user into machineB from machineA. I did same exact step as above but it doesn't work.

david@machineA:~$ sudo su - golden golden@machineA:~$ ssh-keygen -t rsa ........ david@machineB:~$ sudo su - golden golden@machineB:~$ ssh-keygen -t rsa ........

And then I copied id_rsa.pub key /home/golden/.ssh/id_rsa.pub for golden user from machineA to machineB authorized_keys file /home/golden/.ssh/authorized_keys. And when I try to ssh, it gives me:

golden@machineA:~$ ssh golden@machineB Connection closed by 23.14.23.10

What is wrong? It doesn't work only for golden user which I created manually through this command useradd. I am running Ubuntu 14.04. Is there any settings that I need to enable for this manual user which I created?

In the machineB auth.log file, below is what I am seeing when I run this command from machineA ssh -vvv golden@machineB to login

Jan 3 17:56:59 machineB sshd[25664]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key Jan 3 17:56:59 machineB sshd[25664]: pam_access(sshd:account): access denied for user `golden' from `machineA' Jan 3 17:56:59 machineB sshd[25664]: pam_sss(sshd:account): Access denied for user golden: 10 (User not known to the underlying authentication module) Jan 3 17:56:59 machineB sshd[25664]: fatal: Access denied for user golden by PAM account configuration [preauth]

Is there anything I am missing? Below is how my directory structure looks like:

golden@machineA:~$ pwd /home/golden golden@machineA:~$ ls -lrtha total 60K -rw------- 1 golden golden 675 Nov 22 12:26 .profile -rw------- 1 golden golden 3.6K Nov 22 12:26 .bashrc -rw------- 1 golden golden 220 Nov 22 12:26 .bash_logout drwxrwxr-x 2 golden golden 4.0K Nov 22 12:26 .parallel drwxr-xr-x 2 golden golden 4.0K Nov 22 12:34 .vim drwxr-xr-x 7 root root 4.0K Dec 22 11:56 .. -rw------- 1 golden golden 17K Jan 5 12:51 .viminfo drwx------ 2 golden golden 4.0K Jan 5 12:51 .ssh drwx------ 5 golden golden 4.0K Jan 5 12:51 . -rw------- 1 golden golden 5.0K Jan 5 13:14 .bash_history golden@machineB:~$ pwd /home/golden golden@machineB:~$ ls -lrtha total 56K -rw------- 1 golden golden 675 Dec 22 15:10 .profile -rw------- 1 golden golden 3.6K Dec 22 15:10 .bashrc -rw------- 1 golden golden 220 Dec 22 15:10 .bash_logout drwxr-xr-x 7 root root 4.0K Jan 4 16:43 .. drwx------ 2 golden golden 4.0K Jan 5 12:51 .ssh -rw------- 1 golden golden 9.9K Jan 5 12:59 .viminfo drwx------ 6 golden golden 4.0K Jan 5 12:59 . -rw------- 1 golden golden 4.6K Jan 5 13:10 .bash_history

Update:

In machineA:

cat /etc/passwd | grep golden golden:x:1001:1001::/home/golden:/bin/bash

In machineB:

cat /etc/passwd | grep golden golden:x:1001:1001::/home/golden:/bin/bash

updated the question with the details. One thing is firstly I created user without any password and then later on I created the password for this golden user after some time. — user5447339
– user5447339, Commented Jan 5, 2017 at 23:00
Pam_sss is giving user unknown. You need to verify, how sssd is configured on your system. Some cases sssd is configured to cache credentials, so you may have to invalidate cache/restart sssd — VenkatC
– VenkatC, Commented Jan 6, 2017 at 0:26
@VenkatC How can I restart sssd in my system? These are all VM so I am not sure how it was configured as we got this system from some other team. — user5447339
– user5447339, Commented Jan 6, 2017 at 0:32
sysyemctl restart sssd - should work on systemd based server — VenkatC
– VenkatC, Commented Jan 6, 2017 at 0:40

VenkatC · Accepted Answer · 2017-01-06 16:22:12Z

The issue is with PAM stack configuration. Your host is configured with pam_access and default configuration is not allowing external/SSH access for the new user golden ,even though your keys are setup properly.

Adding golden user into /etc/security/access.conf as below fixed the issue.

+:golden:ALL

To see more information readman access.conf which explains each field of this file. Look at examples section to understand the order and meanings of LOCAL, ALL etc

In my case I had to be added to a group that was given access permission access.conf. — Wolfgang
– Wolfgang, Commented Dec 20, 2019 at 16:38
Most people haven't even looked at etc/security/access.conf, much less edited it, so the simply answer given below is much more likely on balance. PAM pre-auth checks that the account is not locked in /etc/shadow. Implicit in that is that it must actually exist in /etc/shadow. — Martin Kealey
– Martin Kealey, Commented Aug 21, 2021 at 9:05

okainov · Accepted Answer · 2018-05-25 07:55:27Z

13

I had the same issue and none of suggested options worked. But I found in one of forums (https://ubuntuforums.org/showthread.php?t=1960510) a "workaround" which worked perfectly.

Edit /etc/ssh/sshd_config and set

UsePAM no

While it's probably not the real solution, because something is definitely wrong with my machine (yesterday it was working fine!), this one at least works.

answered May 25, 2018 at 7:55

okainov

3493 silver badges7 bronze badges

funny enough, I have to servers that I just did install ubuntu 20 + ldap, one I did disable PAM and worked, in the other, it is working with it; the difference: one we have passwd shadows sync, in the other we do not... so seems that disabling PAM force it to use ldap login info...

Thiago Conrado
– Thiago Conrado

2020-10-13 18:19:50 +00:00
Commented Oct 13, 2020 at 18:19
1

"Workaround" is a kind word for this; I would be much less charitable. Disabling PAM means that if the user authenticates using an ssh key, you won't be able to prevent them from logging in by the "normal" method (disabling their account by marking it as "expired"). In most circumstances that would be a bad idea. As other answers have indicated, the problem is likely that the user who can't log in is probably disabled or missing in /etc/shadow.

Martin Kealey
– Martin Kealey

2021-08-21 09:01:03 +00:00
Commented Aug 21, 2021 at 9:01
@martin that's why I wrote that it's probably not a real solution. In the meantime in my case it was just my working PC, without any other "users", so I absolutely don't care whether I'll be able to prevent other users to login.

okainov
– okainov

2021-08-22 10:44:36 +00:00
Commented Aug 22, 2021 at 10:44

Add a comment |

Engling Yeo · Accepted Answer · 2020-07-22 21:35:09Z

9

I had the same issue. pam access would deny a particular user on one machine but not others. Eventually, realized I forgot to update /etc/shadow.

Once that's updated, the problem was fixed for me.

answered Jul 22, 2020 at 21:35

Engling Yeo

911 silver badge1 bronze badge

2

Dear reader: if this answer helps you, please up-vote it. Its simplicity is its truth, and /etc/shadow certainly should be checked before disabling PAM.

Martin Kealey
– Martin Kealey

2021-08-21 09:08:02 +00:00
Commented Aug 21, 2021 at 9:08
1

I had added the user/group by hand, and forgotten about /etc/shadow. I found advice to use the 'pwconv' command to reconcile all entries in passwd w/ shadow. That did the trick for me

Mike Lippert
– Mike Lippert

2023-02-04 20:12:19 +00:00
Commented Feb 4, 2023 at 20:12

Add a comment |

MSH · Accepted Answer · 2025-05-05 19:22:38Z

0

Make sure you don't have an /etc/nologin file either. Those blank ones are nasty to debug.

answered May 5 at 19:22

MSH

1

1

Your answer could be improved with additional supporting information. Please edit to add further details, such as citations or documentation, so that others can confirm that your answer is correct. You can find more information on how to write good answers in the help center.

Community
– Community Bot

2025-05-05 19:29:07 +00:00
Commented May 5 at 19:29

Add a comment |

Stephen Kitt · Accepted Answer · 2019-01-08 15:05:09Z

-3

Please add the following in /etc/security/access.conf:

-:ALL:EXCEPT root

edited Jan 8, 2019 at 15:05

Stephen Kitt

483k60 gold badges1.2k silver badges1.4k bronze badges

answered Jan 8, 2019 at 14:55

IRSHAD AHMED MOHAMMED

1

3

Welcome to Unix.SE! Could you edit your answer to explain how it’s better than the existing answers?

Stephen Kitt
– Stephen Kitt

2019-01-08 15:04:59 +00:00
Commented Jan 8, 2019 at 15:04
@StephenKitt I tried both the above answers, but they didn't work for me. When I add the -:ALL:EXCEPT root in /etc/security/access.conf, it started working.

IRSHAD AHMED MOHAMMED
– IRSHAD AHMED MOHAMMED

2019-01-08 19:55:14 +00:00
Commented Jan 8, 2019 at 19:55
Please try to restart winbindd and oddjobd. Hope it will help. Thanks,

IRSHAD AHMED MOHAMMED
– IRSHAD AHMED MOHAMMED

2019-01-08 20:31:18 +00:00
Commented Jan 8, 2019 at 20:31
3

@IRSHADAHMEDMOHAMMED Can you explain why it worked and what other security-related consequences this would have?

Kusalananda
– Kusalananda ♦

2019-10-24 21:10:16 +00:00
Commented Oct 24, 2019 at 21:10

Add a comment |

Stack Exchange Network

Access denied for a particular user by PAM account configuration

5 Answers 5

You must log in to answer this question.

Hot Network Questions

Access denied for a particular user by PAM account configuration

5 Answers 5

You must log in to answer this question.

Related

Hot Network Questions