Troubleshooting “Access denied by PAM account configuration” for Specific SSH Users on Linux


1 views

When encountering the error Access denied for user [username] by PAM account configuration [preauth] during SSH login, while other users can authenticate successfully, we're dealing with a PAM (Pluggable Authentication Modules) configuration issue specific to that user account.

# Sample error from auth.log
Sep 18 17:21:04 hostname sshd[18942]: fatal: Access denied for user tbbscraper by PAM account configuration [preauth]

The problem exhibits these characteristics:

  • Only affects specific users (tbbscraper) while others work (admin)
  • Both users have identical permissions and authorized_keys setup
  • Manually switching users via su shows similar authentication failures
  • No obvious PAM configuration differences in /etc/security/*.conf

First, examine the PAM stack for SSH authentication:

# Check the PAM configuration for SSH
cat /etc/pam.d/sshd

# Common lines to look for:
account    required     pam_access.so
account    required     pam_time.so

The pam_access.so module might be restricting access through /etc/security/access.conf:

# Check for user-specific restrictions
grep -E "tbbscraper|admin" /etc/security/access.conf

Check if the account is locked or expired:

# Check account status
passwd -S tbbscraper
chage -l tbbscraper

# Compare with working account
passwd -S admin

On systems with SELinux enabled, check the context of the user's home directory:

# Verify SELinux context
ls -Z /home/tbbscraper
ls -Z /home/tbbscraper/.ssh

The account might be locked in /etc/shadow:

# Check shadow entry
grep tbbscraper /etc/shadow

# Example of locked account (notice the ! before password hash)
tbbscraper:!$6$...:...

Verify the user's shell is set correctly in /etc/passwd:

# Check shell configuration
grep tbbscraper /etc/passwd

# Correct configuration should point to a valid shell
tbbscraper:x:1001:1001::/home/tbbscraper:/bin/bash

Enable debug logging for PAM to get more details:

# Edit /etc/pam.d/sshd and add debug to relevant modules
auth       debug    pam_unix.so
account    debug    pam_access.so

If all else fails, recreate the user account while preserving their home directory:

# Backup current user configuration
cp -a /home/tbbscraper /home/tbbscraper_backup

# Remove and recreate the user
userdel tbbscraper
useradd -m -d /home/tbbscraper -s /bin/bash tbbscraper
chown -R tbbscraper:tbbscraper /home/tbbscraper

After implementing any changes, always test with:

ssh -vvv tbbscraper@hostname

When attempting to SSH into a Debian 7.1 EC2 instance, I encountered a puzzling scenario where public key authentication worked for the admin user but failed for tbbscraper with the following error:

Sep 18 17:21:04 hostname sshd[18942]: fatal: Access denied for user tbbscraper by PAM account configuration [preauth]

Key observations:

  • Identical authorized_keys files for both users (confirmed via cmp)
  • Proper directory permissions (700 for .ssh, 600 for authorized_keys)
  • Same authentication method (publickey) offered for both users

The su - behavior provided a crucial clue:

root@host# su - tbbscraper
su: Authentication failure
(Ignored)
tbbscraper@host$

This pointed to PAM configuration rather than SSH-specific issues. Key files to examine:

/etc/pam.d/sshd
/etc/pam.d/common-auth
/etc/pam.d/common-account
/etc/nologin
/etc/security/access.conf

First, verify the account's basic status:

# Check account expiration
chage -l tbbscraper

# Verify shell accessibility
grep tbbscraper /etc/passwd

# Check for account locks
passwd -S tbbscraper

The root cause was found in /etc/security/access.conf, which contained:

- : ALL EXCEPT root admin : ALL

This explains why only admin and root could authenticate. The solution was to add tbbscraper to the exception list:

- : ALL EXCEPT root admin tbbscraper : ALL

For deeper diagnostics, enable PAM debugging:

# Add to /etc/pam.d/sshd
auth       debug
account    debug
password   debug
session    debug

Then check syslog for detailed PAM decision-making:

tail -f /var/log/auth.log

If modifying access.conf isn't desirable, consider these approaches:

1. Create a custom PAM configuration for SSH:
# /etc/pam.d/sshd
account    sufficient pam_access.so accessfile=/etc/security/ssh_access.conf

2. Use group-based access control:
- : ALL EXCEPT root admin (group_name) : ALL

After making changes, always:

1. Reload SSHd: service ssh reload
2. Test locally: ssh -Tvvv tbbscraper@localhost
3. Verify through auth.log