fatal: Access denied for user by PAM account configuration

Written by - 3 comments

Published on - Listed in Linux Security

Today I got a strange ssh problem which got me scratching my head a couple of times. 

On a CentOS 5 server I tried to use a ssh key exchange for a ssh login. The key was correctly installed and the permissions on .ssh and the authorized_keys file were set correctly.

But as soon as I tried to log in from the remote machine, I got the following error:

$ ssh nagios@centosmachine
Connection closed by centosmachine

On the centosmachine, I followed the logs and in /var/log/secure the following error messages were logged:

Jul 29 08:24:14 centosmachine sshd[9827]: pam_access(sshd:account): access denied for user `nagios' from `nagiosserver'
Jul 29 08:24:14 centosmachine sshd[9828]: fatal: Access denied for user nagios by PAM account configuration

At first I expected a missing "AllowUsers" entry in /etc/ssh/sshd_config, but there were no such entries, meaning all local users should be allowed. I also tested if I could locally switch to the nagios user and simulate a login, which was working fine. So there are no permission problems on the home directory either.

Eventualy I came across a blog entry on andyhan.net. It seems that he had a similar issue a while ago and he pointed me to the correct file: /etc/security/access.conf.

I compared this file with other CentOS servers to which nagios was able to connect to and indeed, there was the following line missing:

+ : nagios : nagiosserver

As soon as I added this line, therefore allowing the nagios user from nagiosserver, the nagios user was able to connect via ssh again.

Add a comment

Show form to leave a comment

Comments (newest first)

Maxy from wrote on Jun 29th, 2016:

Thanks mate, this helped me to fix my issue.

Timo from wrote on Apr 6th, 2016:

Thanks, this was EXACTLY my issue with a Ubuntu 14.04 VM.

adastra from wrote on Feb 25th, 2016:

Thanks for this, it saved me some time!

RSS feed

Blog Tags:

  AWS   Android   Ansible   Apache   Apple   Atlassian   BSD   Backup   Bash   Bluecoat   CMS   Chef   Cloud   Coding   Consul   Containers   CouchDB   DB   DNS   Database   Databases   Docker   ELK   Elasticsearch   Filebeat   FreeBSD   Galera   Git   GlusterFS   Grafana   Graphics   HAProxy   HTML   Hacks   Hardware   Icinga   Influx   Internet   Java   KVM   Kibana   Kodi   Kubernetes   LVM   LXC   Linux   Logstash   Mac   Macintosh   Mail   MariaDB   Minio   MongoDB   Monitoring   Multimedia   MySQL   NFS   Nagios   Network   Nginx   OSSEC   OTRS   Office   PGSQL   PHP   Perl   Personal   PostgreSQL   Postgres   PowerDNS   Proxmox   Proxy   Python   Rancher   Rant   Redis   Roundcube   SSL   Samba   Seafile   Security   Shell   SmartOS   Solaris   Surveillance   Systemd   TLS   Tomcat   Ubuntu   Unix   VMWare   VMware   Varnish   Virtualization   Windows   Wireless   Wordpress   Wyse   ZFS   Zoneminder   

Update cookies preferences