Regression in pam_listfile module in RHEL5.9, users cannot login

Solution Unverified - Updated -


  • This was on a RHEL 5.9 system that is authenticated via Active Directory.System uses latest pam - pam- and now users cannot ssh into the system. Prior to the update, system had pam-
  • Problem does not seem to involve number of users in the group as a test was done with only 2 users.
  • To reproduce:
    1) Configure system with AD or LDAP and enable pam_listfile in /etc/pam.d/sshd to control login
    2) Attempt to login to server
    3) From /var/log/secure:

    Feb 27 13:51:41 host1 sshd[2649]: pam_listfile(sshd:account): Refused user abc for service sshd
    Feb 27 13:51:41 host1 sshd[2649]: fatal: Access denied for user abc by PAM account configuration
  • Representative /etc/pam.d/sshd file:

auth       include      system-auth
account    required onerr=fail item=group sense=allow file=/etc/security/groups.allow
account    required
account    include      system-auth
password   include      system-auth
session    optional force revoke
session    include      system-auth
session    required 
  • Representative groups.allow file:
[xyz@host1 pam.d]$ cat ../security/groups.allow 


  • Red Hat Enterprise Linux 5.9
  • pam-

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In