Access denied for a particular user by PAM account configuration

I am trying to setup a passwordless login from machineA to machineB for my user david which already exits. This is what I did to generate the authentication keys:

[email protected]:~$ ssh-keygen -t rsa
........

[email protected]:~$ ssh-keygen -t rsa
........

After that I copied id_rsa.pub (/home/david/.ssh/id_rsa.pub) key of machineA into machineB authorized_keys file (/home/david/.ssh/authorized_keys) key.

And then I went back to machineA login screen and ran below command and it worked fine without any issues. So I was able to login into machineB as david user without asking for any password.

Question:

Now I created a new user on machineA and machineB both by running this command only useradd golden. And now I want to ssh passwordless from this golden user into machineB from machineA. I did same exact step as above but it doesn’t work.

[email protected]:~$ sudo su - golden
[email protected]:~$ ssh-keygen -t rsa
........

[email protected]:~$ sudo su - golden
[email protected]:~$ ssh-keygen -t rsa
........

And then I copied id_rsa.pub key /home/golden/.ssh/id_rsa.pub for golden user from machineA to machineB authorized_keys file /home/golden/.ssh/authorized_keys. And when I try to ssh, it gives me:

[email protected]:~$ ssh [email protected]
Connection closed by 23.14.23.10

What is wrong? It doesn’t work only for golden user which I created manually through this command useradd. I am running Ubuntu 14.04. Is there any settings that I need to enable for this manual user which I created?

In the machineB auth.log file, below is what I am seeing when I run this command from machineA ssh -vvv [email protected] to login

Jan  3 17:56:59 machineB sshd[25664]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan  3 17:56:59 machineB sshd[25664]: pam_access(sshd:account): access denied for user `golden' from `machineA'
Jan  3 17:56:59 machineB sshd[25664]: pam_sss(sshd:account): Access denied for user golden: 10 (User not known to the underlying authentication module)
Jan  3 17:56:59 machineB sshd[25664]: fatal: Access denied for user golden by PAM account configuration [preauth]

Is there anything I am missing? Below is how my directory structure looks like:

[email protected]:~$ pwd
/home/golden
[email protected]:~$ ls -lrtha
total 60K
-rw------- 1 golden golden  675 Nov 22 12:26 .profile
-rw------- 1 golden golden 3.6K Nov 22 12:26 .bashrc
-rw------- 1 golden golden  220 Nov 22 12:26 .bash_logout
drwxrwxr-x 2 golden golden 4.0K Nov 22 12:26 .parallel
drwxr-xr-x 2 golden golden 4.0K Nov 22 12:34 .vim
drwxr-xr-x 7 root     root     4.0K Dec 22 11:56 ..
-rw------- 1 golden golden  17K Jan  5 12:51 .viminfo
drwx------ 2 golden golden 4.0K Jan  5 12:51 .ssh
drwx------ 5 golden golden 4.0K Jan  5 12:51 .
-rw------- 1 golden golden 5.0K Jan  5 13:14 .bash_history


[email protected]:~$ pwd
/home/golden
[email protected]:~$ ls -lrtha
total 56K
-rw------- 1 golden golden  675 Dec 22 15:10 .profile
-rw------- 1 golden golden 3.6K Dec 22 15:10 .bashrc
-rw------- 1 golden golden  220 Dec 22 15:10 .bash_logout
drwxr-xr-x 7 root     root     4.0K Jan  4 16:43 ..
drwx------ 2 golden golden 4.0K Jan  5 12:51 .ssh
-rw------- 1 golden golden 9.9K Jan  5 12:59 .viminfo
drwx------ 6 golden golden 4.0K Jan  5 12:59 .
-rw------- 1 golden golden 4.6K Jan  5 13:10 .bash_history

Update:

In machineA:

cat /etc/passwd | grep golden
golden:x:1001:1001::/home/golden:/bin/bash

In machineB:

cat /etc/passwd | grep golden
golden:x:1001:1001::/home/golden:/bin/bash

Answer

The issue is with PAM stack configuration. Your host is configured with pam_access and default configuration is not allowing external/SSH access for the new user golden ,even though your keys are setup properly.

Adding golden user into /etc/security/access.conf as below fixed the issue.

+:golden:ALL

To see more information readman access.conf which explains each field of this file. Look at examples section to understand the order and meanings of LOCAL, ALL etc

Leave a Reply

Your email address will not be published. Required fields are marked *