Problem description
Incorrect PAM configuration on a Linux instance can prevent logon. Check /var/log/secure for the following error messages:
-
requirement "uid >= 1000" not met by user "xxxx" -
user xxxx (0) has 5 failed attempts, failed attempts threshold is 3 -
Refused user xxxx for service sshd
Solution
You must log on to the instance with an administrative account (such as root or a user with sudo privileges) to modify PAM configuration files.
Problem identification
-
Log on to the ECS instance via VNC as an administrator.
-
Go to the ECS console - Instances page. Select your region and resource group.
-
On the instance details page, click Connect and select VNC. Enter the username and password to log on.
-
-
Check the authentication logs for key error messages.
-
The account is locked due to failed attempts : If the log contains
Maximum amount of failed attempts was reached, the account is locked after multiple failed logon attempts. Unlock the account.sudo grep -i "Maximum amount of failed attempts" /var/log/secure -
User logon is restricted: If the log contains
requirement "uid >= 1000" not met by user, a rule prevents users with a UID less than 1000 from logging on. Remove the UID restriction.sudo grep -i "not met by user" /var/log/secure -
User is denylisted : If the log contains
Refused user, this indicates that an allowlist or denylist is controlling user access. The user is either on the denylist or not on the allowlist. You must modify the allowlist or denylist.sudo grep -i "Refused user" /var/log/secure
-
Unlock the account
-
Check the number of failed logon attempts. Replace
<username>with the affected username.sudo pam_tally2 -u <username>If the failed attempt count is greater than 0, the account is locked.
-
Unlock the account.
sudo pam_tally2 -u <username> -r -
(Optional) Disable the locking policy permanently.
Edit
/etc/pam.d/system-authand comment out the rule that containspam_tally2.so.sudo vim /etc/pam.d/system-authThis rule locks both regular and root accounts after three consecutive incorrect password attempts, with automatic unlock after 50 seconds.
auth required pam_tally2.so deny=3 unlock_time=50This example uses the
pam_tally2module. The actual module may vary by PAM version. See the Linux-PAM System Administrators' Guide. -
Log on to the instance again to verify the logon works.
Remove the UID restriction
-
Locate the configuration file.
Find files that contain
pam_succeed_if, such as/etc/pam.d/sshd,/etc/pam.d/login, or/etc/pam.d/system-auth.sudo grep -r "pam_succeed_if" /etc/pam.d/ -
Modify the configuration.
sudo vim /etc/pam.d/sshdComment out the line containing
auth required pam_succeed_if.so uid >= 1000by adding#to the beginning.# auth required pam_succeed_if.so uid >= 1000 -
Log on to the instance again to verify the logon works.
Modify the allowlist or denylist
-
Locate the configuration file.
Find files that contain
pam_listfile, such as/etc/pam.d/sshd,/etc/pam.d/login, or/etc/pam.d/system-auth.sudo grep -r "pam_listfile" /etc/pam.d/ -
Examine the configuration.
sudo vim /etc/pam.d/sshdThe
senseparameter indicates an allowlist (sense=allow) or denylist (sense=deny). Note the file path in thefile=parameter, such as/etc/ssh/whitelistor/etc/ssh/blacklist.# A whitelist is configured. Only users in the whitelist are allowed to log on. auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail # A blacklist is configured. Users in the blacklist are prohibited from logging on. auth required pam_listfile.so item=user sense=deny file=/etc/ssh/blacklist onerr=fail -
Modify the list file.
-
For an allowlist: Add the username on a new line. Save and exit.
sudo vim /etc/ssh/whitelist -
For a denylist: Delete the line that contains the target username. Save and exit.
sudo vim /etc/ssh/blacklist
-
-
Log on to the instance again to verify the logon works.