SSH access is getting denied by pam_listfile:pam_listfile(su-l:account): Refused user root for service.

Solution Verified - Updated -

Issue

  • SSSD - KDC reply did not match expectations due to incorrect pam configuration.
#%PAM-1.0
#This file is auto-generated by Ansible.
#User changes will be destroyed the next time authconfig is run.
auth       [success=done ignore=ignore default=die]  pam_securid.so  not_set_pass
auth       substack     password-auth
auth       include      postlogin
auth required pam_listfile.so item=group sense=allow file=/etc/pam.d/groups.allow onerr=fail
account    required     pam_listfile.so onerr=succeed item=user sense=deny  file=/etc/security/access-ssh-deny.conf
account    sufficient   pam_listfile.so onerr=succeed item=user sense=allow file=/etc/security/access-ssh.conf
account    required     pam_sepermit.so
account    required     pam_nologin.so
account    include      password-auth
password   include      password-auth
#pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
#pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open env_params
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    optional     pam_motd.so motd=/etc/motd_ssh motd_dir=/etc/motd.d
session    include      password-auth

Environment

  • Red Hat Enterprise Linux 7
  • Red Hat Enterprise Linux 8
  • Red Hat Enterprise Linux 9

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content