fatal: Access denied for user by PAM account configuration

Written by Claudio Kuenzler - 3 comments

Published on July 29th 2015 - Listed in Linux Security

Today I got a strange ssh problem which got me scratching my head a couple of times. 

On a CentOS 5 server I tried to use a ssh key exchange for a ssh login. The key was correctly installed and the permissions on .ssh and the authorized_keys file were set correctly.

But as soon as I tried to log in from the remote machine, I got the following error:

$ ssh nagios@centosmachine
Connection closed by centosmachine

On the centosmachine, I followed the logs and in /var/log/secure the following error messages were logged:

Jul 29 08:24:14 centosmachine sshd[9827]: pam_access(sshd:account): access denied for user `nagios' from `nagiosserver'
Jul 29 08:24:14 centosmachine sshd[9828]: fatal: Access denied for user nagios by PAM account configuration

At first I expected a missing "AllowUsers" entry in /etc/ssh/sshd_config, but there were no such entries, meaning all local users should be allowed. I also tested if I could locally switch to the nagios user and simulate a login, which was working fine. So there are no permission problems on the home directory either.

Eventualy I came across a blog entry on andyhan.net. It seems that he had a similar issue a while ago and he pointed me to the correct file: /etc/security/access.conf.

I compared this file with other CentOS servers to which nagios was able to connect to and indeed, there was the following line missing:

+ : nagios : nagiosserver

As soon as I added this line, therefore allowing the nagios user from nagiosserver, the nagios user was able to connect via ssh again.

Add a comment

Comments (newest first)

Maxy from wrote on Jun 29th, 2016:

Thanks mate, this helped me to fix my issue.

Timo from wrote on Apr 6th, 2016:

Thanks, this was EXACTLY my issue with a Ubuntu 14.04 VM.

adastra from wrote on Feb 25th, 2016:

Thanks for this, it saved me some time!