Regression in pam_listfile module in RHEL5.9, users cannot login

Solution Unverified - Updated -

Issue

  • This was on a RHEL 5.9 system that is authenticated via Active Directory.System uses latest pam - pam-0.99.6.2.12 and now users cannot ssh into the system. Prior to the update, system had pam-0.99.6.2-6.el5_5.2.
  • Problem does not seem to involve number of users in the group as a test was done with only 2 users.
  • To reproduce:
    1) Configure system with AD or LDAP and enable pam_listfile in /etc/pam.d/sshd to control login
    2) Attempt to login to server
    3) From /var/log/secure:

    Feb 27 13:51:41 host1 sshd[2649]: pam_listfile(sshd:account): Refused user abc for service sshd
    Feb 27 13:51:41 host1 sshd[2649]: fatal: Access denied for user abc by PAM account configuration
    
  • Representative /etc/pam.d/sshd file:

#%PAM-1.0
auth       include      system-auth
account    required     pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allow
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so 
  • Representative groups.allow file:
[xyz@host1 pam.d]$ cat ../security/groups.allow 
users 

Environment

  • Red Hat Enterprise Linux 5.9
  • pam-0.99.6.2.12

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In