I've been setting up a PAM configuration for sshd
, and as of now /etc/pam.d/sshd
stands like this:
# Custom PAM config for sshd
# Disallow login if /etc/nologin exists, inherited from old sshd config
account required pam_nologin.so
# SELinux rule. Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so close
# Check username and password with custom binary
auth [success=ok default=bad] pam_exec.so expose_authtok /usr/bin/ssh-hash-checker
# Set the loginuid process attribute. Inherited from old sshd
session required pam_loginuid.so
# Create a new session keyring. Inherited from old sshd
session optional pam_keyinit.so force revoke
# Standard Un*x session setup and teardown. Inherited from old sshd
@include common-session
# MOTD. Inherited from old sshd
session optional pam_motd.so motd=/run/motd.dynamic
session optional pam_motd.so noupdate
# Mail. Inherited from old sshd
session optional pam_mail.so standard noenv
# Set up user limits from /etc/security/limits.conf. Inherited from old sshd
session required pam_limits.so
# PAM Env. Inherited from old sshd
session required pam_env.so # [1]
# In Debian 4.0 (etch), locale-related environment variables were moved to
# /etc/default/locale, so read that as well. Inherited from old sshd
session required pam_env.so user_readenv=1 envfile=/etc/default/locale
# Another SELinux Rule Inherited from old sshd
session [success=ok ignore=ignore module_unknown=ignore default=bad] pam_selinux.so open
As of now I have tested the custom binary that checks user and password, and it seems to work alright, as the password is rejected without any further issue when the given login is incorrect, as I can tell from the systemctl status
report.
However, on a valid login attempt, I get the following log in systemctl status
:
fatal: Access denied for user <redacted> by PAM account configuration [preauth]
Upon googling the issue, I found that this is often caused by a misconfigured access.conf, so this is the current contents of /etc/security/access.conf
:
# Many lines of comments at the top...
# Allow root to login from wherever
+:root:ALL
# Allow <redacted> to login to SSH through PAM
+:<redacted>:ALL
# Deny access to everyone else from anywhere else
-:ALL:ALL
I have not changed any user passwords recently, and never manually modified neither /etc/shadow
nor /etc/passwd
.
Any idea what this could be, or any further debugging steps I could take?
Found the answer after a lot of searching. For some reason I do not yet understand, the
pam_nologin.so
module has been denying access despite the/etc/nologin
file not actually existing. I'll search for further answers on how to make this mechanism work properly, and post a link to the second question if and when I find a definitive answer.Edit: The new question