Access denied by PAM account configuration despite configured access.conf and updated /etc/shadow

I've been setting up a PAM configuration for sshd, and as of now /etc/pam.d/sshd stands like this:

# Custom PAM config for sshd
# Disallow login if /etc/nologin exists, inherited from old sshd config
account required pam_nologin.so
# SELinux rule. Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Check username and password with custom binary
auth [success=ok default=bad] pam_exec.so expose_authtok /usr/bin/ssh-hash-checker
# Set the loginuid process attribute. Inherited from old sshd
session required pam_loginuid.so
# Create a new session keyring. Inherited from old sshd
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown. Inherited from old sshd
@include common-session
# MOTD. Inherited from old sshd
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Mail. Inherited from old sshd
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf. Inherited from old sshd
session required pam_limits.so
# PAM Env. Inherited from old sshd
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well. Inherited from old sshd
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# Another SELinux Rule Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open

As of now I have tested the custom binary that checks user and password, and it seems to work alright, as the password is rejected without any further issue when the given login is incorrect, as I can tell from the systemctl status report.

However, on a valid login attempt, I get the following log in systemctl status:fatal: Access denied for user <redacted> by PAM account configuration [preauth]

Upon googling the issue, I found that this is often caused by a misconfigured access.conf, so this is the current contents of /etc/security/access.conf:

# Many lines of comments at the top...
# Allow root to login from wherever
+:root:ALL
# Allow <redacted> to login to SSH through PAM
+:<redacted>:ALL
# Deny access to everyone else from anywhere else
-:ALL:ALL

I have not changed any user passwords recently, and never manually modified neither /etc/shadow nor /etc/passwd.

Any idea what this could be, or any further debugging steps I could take?

1 Answer

Found the answer after a lot of searching. For some reason I do not yet understand, the pam_nologin.so module has been denying access despite the /etc/nologin file not actually existing. I'll search for further answers on how to make this mechanism work properly, and post a link to the second question if and when I find a definitive answer.

Edit: The new question

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like