Regression in pam_listfile module in RHEL5.9, users cannot login

Solution Unverified - Updated -

Issue

  • This was on a RHEL 5.9 system that is authenticated via Active Directory.System uses latest pam - pam-0.99.6.2.12 and now users cannot ssh into the system. Prior to the update, system had pam-0.99.6.2-6.el5_5.2.
  • Problem does not seem to involve number of users in the group as a test was done with only 2 users.

  • To reproduce:
    1) Configure system with AD or LDAP and enable pam_listfile in /etc/pam.d/sshd to control login
    2) Attempt to login to server
    3) From /var/log/secure:

    Feb 27 13:51:41 host1 sshd[2649]: pam_listfile(sshd:account): Refused user abc for service sshd
Feb 27 13:51:41 host1 sshd[2649]: fatal: Access denied for user abc by PAM account configuration

  • Representative /etc/pam.d/sshd file:

#%PAM-1.0
auth       include      system-auth
account    required     pam_listfile.so onerr=fail item=group sense=allow file=/etc/security/groups.allow
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    required     pam_loginuid.so
  • Representative groups.allow file:
[xyz@host1 pam.d]$ cat ../security/groups.allow 
users

Environment

  • Red Hat Enterprise Linux 5.9
  • pam-0.99.6.2.12

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content