PAM account management error: Permission denied

[ccheltenham]

Hello,

After upgrading CentOS to 7.6 I can no longer elevate via sudo from ssh conneciton.
it is fine on the console but not via ssh.

the error is : PAM account management error: Permission denied

Any ideas?

[TrevorH]

Run aureport -a and check for any entries listed there with the right sort of timestamp. For each of those, if there are any, take the number from the right hand end of the line and plug that into ausearch -a nnnn where nnnn is the number you first thought of. Also check in /var/log/messages and /var/log/secure for more information/errors.

[ccheltenham]

/var/log/secure and messages are the first places I went.

messages gives me nothig,
secure gives me access denied, which again is nothing.

[ccheltenham]

aureport -a has nothing after 2016 in there.

[ccheltenham]

I do appreciate you help Trevor ..

[TrevorH]

What is the content of the files /etc/pam.d/sudo and sudo-i?

[ccheltenham]

Trevor,

I have two server very similar.
I have compared pam.d of the problem sever against the not updated server.
Their sums on each file are exactly the saem.

The sudo and sudo-i are the same.
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
[root@devsso04 pam.d]# cat sudo-i
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so

[TrevorH]

Both of your files appear to be missing the last line of both of mine.

Code: Select all

# cat  /etc/pam.d/sudo-i 
#%PAM-1.0
auth       include      sudo
account    include      sudo
password   include      sudo
session    optional     pam_keyinit.so force revoke
session    required     pam_limits.so
session    include      sudo

# cat  /etc/pam.d/sudo
#%PAM-1.0
auth       include      system-auth
account    include      system-auth
password   include      system-auth
session    optional     pam_keyinit.so revoke
session    required     pam_limits.so
session    include      system-auth

Oh, and both my files appear to be unaltered from the copy supplied by the rpm. If I run rpm -Vf /etc/pam.d/sudo it reports the only mismatching file is /etc/sudoers for me.

[ccheltenham]

Trevor-
Those files now look like this -
However no cigar.
Im sorry.

[ccheltenham-ext@devsso03 ~]$ cat /etc/pam.d/sudo
#%PAM-1.0
auth include system-auth
account include system-auth
password include system-auth
session optional pam_keyinit.so revoke
session required pam_limits.so
session include system-auth
[ccheltenham-ext@devsso03 ~]$ cat /etc/pam.d/sudo-i
#%PAM-1.0
auth include sudo
account include sudo
password include sudo
session optional pam_keyinit.so force revoke
session required pam_limits.so
session include sudo


Running Rpm -
[ccheltenham-ext@devsso03 ~]$ rpm -Vr /etc/pam.d/sudo
rpm: no arguments given for verify
[ccheltenham-ext@devsso03 ~]$ rpm -Vr /etc/pam.d/sudo-i
rpm: no arguments given for verify

Again , i really appreciate your input.
If nothing else i feel better that I am at least pretty much think the same way you are.

The error in /var/log/secure says PAM account manager error:Permission denied
I ever set everything in /etc/pam.d to 777 recursively.

This is really odd.


Thanks again but still get the same error.

[TrevorH]

[ccheltenham-ext@devsso03 ~]$ rpm -Vr /etc/pam.d/sudo
rpm: no arguments given for verify

It's rpm -Vf not rpm -Vr

I ever set everything in /etc/pam.d to 777 recursively.

No, that's a really bad idea. It's not the file in /etc/pam.d that it's complaining about, it's what the content of those files tell it to do. What you just did allows any user, including "nobody" to _write_ those files so anyone can now amend the security settings on your system.