Access denied for a particular user by PAM account configuration Code Answer

Hello Developer, Hope you guys are doing great. Today at Tutorial Guruji Official website, we are sharing the answer of Access denied for a particular user by PAM account configuration without wasting too much if your time.

The question is published on by Tutorial Guruji team.

I am trying to setup a passwordless login from machineA to machineB for my user david which already exits. This is what I did to generate the authentication keys:

david@machineA:~$ ssh-keygen -t rsa
........

david@machineB:~$ ssh-keygen -t rsa
........

After that I copied id_rsa.pub (/home/david/.ssh/id_rsa.pub) key of machineA into machineB authorized_keys file (/home/david/.ssh/authorized_keys) key.

And then I went back to machineA login screen and ran below command and it worked fine without any issues. So I was able to login into machineB as david user without asking for any password.

david@machineA:~$ ssh david@machineB

Question:

Now I created a new user on machineA and machineB both by running this command only useradd golden. And now I want to ssh passwordless from this golden user into machineB from machineA. I did same exact step as above but it doesn’t work.

david@machineA:~$ sudo su - golden
golden@machineA:~$ ssh-keygen -t rsa
........

david@machineB:~$ sudo su - golden
golden@machineB:~$ ssh-keygen -t rsa
........

And then I copied id_rsa.pub key /home/golden/.ssh/id_rsa.pub for golden user from machineA to machineB authorized_keys file /home/golden/.ssh/authorized_keys. And when I try to ssh, it gives me:

golden@machineA:~$ ssh golden@machineB
Connection closed by 23.14.23.10

What is wrong? It doesn’t work only for golden user which I created manually through this command useradd. I am running Ubuntu 14.04. Is there any settings that I need to enable for this manual user which I created?

In the machineB auth.log file, below is what I am seeing when I run this command from machineA ssh -vvv golden@machineB to login

Jan  3 17:56:59 machineB sshd[25664]: error: Could not load host key: /etc/ssh/ssh_host_ed25519_key
Jan  3 17:56:59 machineB sshd[25664]: pam_access(sshd:account): access denied for user `golden' from `machineA'
Jan  3 17:56:59 machineB sshd[25664]: pam_sss(sshd:account): Access denied for user golden: 10 (User not known to the underlying authentication module)
Jan  3 17:56:59 machineB sshd[25664]: fatal: Access denied for user golden by PAM account configuration [preauth]

Is there anything I am missing? Below is how my directory structure looks like:

golden@machineA:~$ pwd
/home/golden
golden@machineA:~$ ls -lrtha
total 60K
-rw------- 1 golden golden  675 Nov 22 12:26 .profile
-rw------- 1 golden golden 3.6K Nov 22 12:26 .bashrc
-rw------- 1 golden golden  220 Nov 22 12:26 .bash_logout
drwxrwxr-x 2 golden golden 4.0K Nov 22 12:26 .parallel
drwxr-xr-x 2 golden golden 4.0K Nov 22 12:34 .vim
drwxr-xr-x 7 root     root     4.0K Dec 22 11:56 ..
-rw------- 1 golden golden  17K Jan  5 12:51 .viminfo
drwx------ 2 golden golden 4.0K Jan  5 12:51 .ssh
drwx------ 5 golden golden 4.0K Jan  5 12:51 .
-rw------- 1 golden golden 5.0K Jan  5 13:14 .bash_history


golden@machineB:~$ pwd
/home/golden
golden@machineB:~$ ls -lrtha
total 56K
-rw------- 1 golden golden  675 Dec 22 15:10 .profile
-rw------- 1 golden golden 3.6K Dec 22 15:10 .bashrc
-rw------- 1 golden golden  220 Dec 22 15:10 .bash_logout
drwxr-xr-x 7 root     root     4.0K Jan  4 16:43 ..
drwx------ 2 golden golden 4.0K Jan  5 12:51 .ssh
-rw------- 1 golden golden 9.9K Jan  5 12:59 .viminfo
drwx------ 6 golden golden 4.0K Jan  5 12:59 .
-rw------- 1 golden golden 4.6K Jan  5 13:10 .bash_history

Update:

In machineA:

cat /etc/passwd | grep golden
golden:x:1001:1001::/home/golden:/bin/bash

In machineB:

cat /etc/passwd | grep golden
golden:x:1001:1001::/home/golden:/bin/bash

Answer

The issue is with PAM stack configuration. Your host is configured with pam_access and default configuration is not allowing external/SSH access for the new user golden ,even though your keys are setup properly.

Adding golden user into /etc/security/access.conf as below fixed the issue.

+:golden:ALL

To see more information readman access.conf which explains each field of this file. Look at examples section to understand the order and meanings of LOCAL, ALL etc

We are here to answer your question about Access denied for a particular user by PAM account configuration - If you find the proper solution, please don't forgot to share this with your team members.

Related Posts

Tutorial Guruji