[SOLVED] FAILED to authorize user with PAM (Permission denied)
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
FAILED to authorize user with PAM (Permission denied)
Hi,
I run my logwatch and I saw a list of this entries
FAILED to authorize user with PAM (Permission denied)
I have actually run this command echo "root" > /etc/cron.allow and echo "myuser" >> /etc/cron.allow. What else I need to do to over come this error ?
Further below I have this.
Code:
**Unmatched Entries**
crond: pam_access(crond:account): access denied for user `root' from `cron': 496 Time(s)
groupadd: group added to /etc/group: name=apache, GID=48: 1 Time(s)
groupadd: group added to /etc/group: name=mock, GID=135: 1 Time(s)
groupadd: group added to /etc/group: name=mysql, GID=27: 1 Time(s)
groupadd: group added to /etc/group: name=ossec, GID=498: 1 Time(s)
groupadd: group added to /etc/gshadow: name=apache: 1 Time(s)
groupadd: group added to /etc/gshadow: name=mock: 1 Time(s)
groupadd: group added to /etc/gshadow: name=mysql: 1 Time(s)
groupadd: group added to /etc/gshadow: name=ossec: 1 Time(s)
useradd: add 'ossec' to group 'ossec': 1 Time(s)
useradd: add 'ossec' to shadow group 'ossec': 1 Time(s)
useradd: add 'ossece' to group 'ossec': 1 Time(s)
useradd: add 'ossece' to shadow group 'ossec': 1 Time(s)
useradd: add 'ossecm' to group 'ossec': 1 Time(s)
useradd: add 'ossecm' to shadow group 'ossec': 1 Time(s)
useradd: add 'ossecr' to group 'ossec': 1 Time(s)
useradd: add 'ossecr' to shadow group 'ossec': 1 Time(s)
#
# The PAM configuration file for the cron daemon
#
#
# No PAM authentication called, auth modules not needed
account required pam_access.so
account include password-auth
session required pam_loginuid.so
session include password-auth
auth include password-auth
The os is CentOS release 6.5 (Final) and getenforce is Enforcing (should I disable this)
I suppose we can start by hitting it with a big stick. Yes, I'd disable SELinux (using setenforce, or modifying /etc/selinux/config and restarting the system).
If that solves the problem, this may be fixable by re-applying the "SELinux context", and then re-enabling it. If it doesn't solve the problem, we move on to the next most obvious causes.
Dear Anomie,
I have adjusted /etc/selinux/config and disabled it and rebooted the system. How to check now whether its gone or not? I guess I will wait for one more day and then run the logwatch? Another thing can I determine which cron is having problem because it does not indicate clearly?
Dear Anomie,
I tried this command and below is the output but what cron is this which run every 10 minutes from this log? I have confirmed this .
Quote:
getenforce
Disabled
Quote:
tail -f /var/log/cron
Jan 25 20:30:01 pro1 crond[10573]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 20:40:01 pro1 crond[10606]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 20:50:01 pro1 crond[11089]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:00:01 pro1 crond[11366]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:01:01 pro1 crond[11370]: (root) FAILED to authorize user with PAM (Permission denied)
Jan 25 21:10:01 pro1 crond[11398]: (root) FAILED to authorize user with PAM (Permission denied)
From unspawn suggestion I saw this lines. I am not too sure what is log representing but I can see it shows the success there.
Quote:
type=USER_ACCT msg=audit(1389171001.124:74352): user pid=21011 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1389171001.124:74353): user pid=21011 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1389171001.124:74354): pid=21011 uid=0 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=3320 new ses=8614
type=USER_START msg=audit(1389171001.125:74355): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1389171001.177:74356): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1389171001.177:74357): user pid=21011 uid=0 auid=0 ses=8614 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_ACCT msg=audit(1389171601.183:74358): user pid=21030 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_ACQ msg=audit(1389171601.183:74359): user pid=21030 uid=0 auid=0 ses=3320 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=LOGIN msg=audit(1389171601.183:74360): pid=21030 uid=0 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 old auid=0 new auid=0 old ses=3320 new ses=8615
type=USER_START msg=audit(1389171601.183:74361): user pid=21030 uid=0 auid=0 ses=8615 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1389171601.242:74362): user pid=21030 uid=0 auid=0 ses=8615 subj=unconfined_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=USER_END msg=audit(1389171601.242:74363): user pid=21030 u
I am not too sure what is log representing but I can see it shows the success there.
Only success so that can't be it. What does this show?:
Code:
grep "^+.*cron" /etc/security/access.conf
Quote:
Originally Posted by newbie14
Today my server totally got hang and could not be access could it be due to this problem or any other bug in the new kernel ?
You should know by now that we are not clairvoyant. So without any meaningful log file contents, terminal output or whatever else the system spits out we can not tell you anything.
I have attached my /var/log/message. I don't really see any indication. If you notice I just extracted out the one previous output that is for Jan 24 23:48:02 when I reboot the server and one is yesterday Jan 26 10:52:23. Before this timestamp Jan 26 10:52:23 I don't see any record in log message to indicate any possible issue? What are the other log files I should be digging in ?
Cron line looks OK. Is this a new machine or the one we prepped earlier? If it is a new one (and provided the old one still works OK) I'd diff configs in /etc/ first with the old one. Also look for which cron job is set to fire approximately every ten minutes. If it is the old one then you should look into what changes you made between it ran OK and now. If it's a new machine and you're quite certain configs match the old setup then could you create a new unprivileged user, set a strong password, add the user to /etc/cron.allow and /etc/security/access.conf and test if a cron job for this user works / fails?
Dear unSpawn,
No this is a new machine and I follow strictly all the 2 stages guide you gave me long time ago except for the Aide I replace it with Ossec. How to run the diff between 2 servers its a lot of servers settings right and I guess only manually can this be done? I tried both my user in my server crontab -e I gives me this error
Quote:
[root@pro1 ~]# crontab -e
Permission denied
You (root) are not allowed to access to (crontab) because of pam configuration.
[myuser@pro1 ~]$ crontab -e
Permission denied
You (myuser) are not allowed to access to (crontab) because of pam configuration.
I created a new user called mytest and I did both this echo "mytest" >> /etc/cron.allow amd edited the /etc/security/access.conf + : mytest : cron crond tty2. Finally I try to log in using the new user and crontab -e
same error.
Quote:
Permission denied
You (mytest) are not allowed to access to (crontab) because of pam configuration.
.
So I guess my pam is the one not allowing here. I want to delete the new user is this sufficient userdel -r mytest?
Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?
How to run the diff between 2 servers its a lot of servers settings right and I guess only manually can this be done?
Make a tar ball of /etc, scp it over to the other machine, decompress into some temporary directory, then run 'diff -rq' on the etc/ in the temporary directory and /etc?
Quote:
Originally Posted by newbie14
[root@pro1 ~]# crontab -e
Permission denied
You (root) are not allowed to access to (crontab) because of pam configuration.
Now that is an odd error.
Quote:
Originally Posted by newbie14
So I guess my pam is the one not allowing here. I want to delete the new user is this sufficient userdel -r mytest?
Seems like it, we'll have to find out why. If you 'userdel' also don't forget to 'groupdel' if the user has its own group.
Quote:
Originally Posted by newbie14
Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?
It will enable any user to use cron jobs: see 'man pam_access'. I'd rather first try adding "debug" to the line:
Code:
account required pam_access.so debug
and see if that shows clues. Else we'll have to start from scratch checking all permissions, SELinux contexts and such...
Also I did some googling and some suggest this to comment #account required pam_access.so in the /etc/pam.d/crond but this will off the pam right?
You can try commenting it out temporarily to see if the problem resolves, but remove the comment after you're done testing.
I would expect commenting that line out to work, but it's definitely not a "fix". We should get to the root cause of the problem here (which I am beginning to suspect if a malformed / bad character /etc/security/access.conf).
When you're ready, modify your /etc/pam.d/crond to include the line:
Code:
account required pam_access.so debug
This should provide verbose logging, and better insight into what is really happening. After adding that line, let the cron daemon run for awhile, and check /var/log/secure and /var/log/messages.
-------
I was eight minutes too slow. But I agree with the debugging approach.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
