Score:0

Access denied by PAM account configuration despite configured access.conf and updated /etc/shadow

fr flag

I've been setting up a PAM configuration for sshd, and as of now /etc/pam.d/sshd stands like this:

# Custom PAM config for sshd

# Disallow login if /etc/nologin exists, inherited from old sshd config
account required    pam_nologin.so

# SELinux rule. Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so close

# Check username and password with custom binary
auth    [success=ok default=bad]    pam_exec.so expose_authtok /usr/bin/ssh-hash-checker

# Set the loginuid process attribute. Inherited from old sshd
session required    pam_loginuid.so

# Create a new session keyring. Inherited from old sshd
session optional    pam_keyinit.so force revoke

# Standard Un*x session setup and teardown. Inherited from old sshd
@include common-session

# MOTD. Inherited from old sshd
session optional    pam_motd.so  motd=/run/motd.dynamic
session optional    pam_motd.so noupdate

# Mail. Inherited from old sshd
session optional    pam_mail.so standard noenv

# Set up user limits from /etc/security/limits.conf. Inherited from old sshd
session required    pam_limits.so

# PAM Env. Inherited from old sshd
session required    pam_env.so # [1]

# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well. Inherited from old sshd
session required    pam_env.so user_readenv=1 envfile=/etc/default/locale

# Another SELinux Rule Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad]    pam_selinux.so  open

As of now I have tested the custom binary that checks user and password, and it seems to work alright, as the password is rejected without any further issue when the given login is incorrect, as I can tell from the systemctl status report.

However, on a valid login attempt, I get the following log in systemctl status: fatal: Access denied for user <redacted> by PAM account configuration [preauth]

Upon googling the issue, I found that this is often caused by a misconfigured access.conf, so this is the current contents of /etc/security/access.conf:

# Many lines of comments at the top...

# Allow root to login from wherever
+:root:ALL

# Allow <redacted> to login to SSH through PAM
+:<redacted>:ALL

# Deny access to everyone else from anywhere else
-:ALL:ALL

I have not changed any user passwords recently, and never manually modified neither /etc/shadow nor /etc/passwd.

Any idea what this could be, or any further debugging steps I could take?

Score:0
fr flag

Found the answer after a lot of searching. For some reason I do not yet understand, the pam_nologin.so module has been denying access despite the /etc/nologin file not actually existing. I'll search for further answers on how to make this mechanism work properly, and post a link to the second question if and when I find a definitive answer.

Edit: The new question

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.