I cannot log on to a Linux instance after PAM is enabled - Elastic Compute Service

This topic describes how to resolve the issue that you cannot log on to a Linux Elastic Compute Service (ECS) instance after you enable Pluggable Authentication Modules (PAM).

PAM

PAM is an authentication mechanism that can be used to authenticate users in Linux operating systems to enhance system security.

If PAM modules are incorrectly configured, you may fail authentication. As a result, you cannot log on to Linux instances even if you use correct passwords. To ensure that you can log on to the Linux instances, we recommend that you contact your administrator to check and correct the PAM configurations based on your business requirements. SSH and login are two common instance remote logon-related services and correspond to the following PAM configuration files:

/etc/pam.d/login: controls Virtual Network Computing (VNC) logon. You can modify this configuration file to check passwords, lock accounts, or restrict logons from specific IP addresses.
/etc/pam.d/sshd: includes authentication information for SSH logons.
/etc/pam.d/system-auth: includes system-wide authentication information, such as password policies, user information, and access control information.

Modify PAM configurations

Important

Only root users (administrators) can modify PAM configurations. If you are a non-root user, contact your administrator to check and modify the PAM configurations.
Before you modify PAM configurations, assess whether the modifications are necessary and verify that the modifications do not compromise system features or cause security vulnerabilities.

(Optional) If you cannot log on to a PAM-enabled Linux instance as a root user even when you use a correct password, unlock the root account. Otherwise, skip this step.
Unlock the root account
1. Log on to the Linux instance in single-user mode.
  For more information, see Boot a Linux ECS instance into single user mode.
2. Run the following commands in sequence to unlock the root account:
```
pam_tally2 -u root #Query the number of failed password attempts that are made by the root account. 
pam_tally2 -u root -r #Reset the number of failed password attempts that are made by the root account. 
authconfig --disableldap --update #Update the PAM security authentication records.
```
3. Restart the Linux instance for the modifications to take effect.
  For more information, see Restart instances.
Log on to the Linux instance as root.
For more information, see Connect to an instance by using VNC.
Run the following command to open the log file named secure. Find the lines that contain pam in the file and obtain the names of PAM-related modules.
```
cat /var/log/secure
```
In this example, the following line is found in the secure file, which indicates that the PAM-related module name is pam_succeed_if:
```
pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root".
```
Check whether the PAM configuration files include the configurations of modules based on the module names that you obtained in the preceding step. If the PAM configuration files include the configurations of the modules, proceed to Step 5.
1. Run the following command to obtain the configurations in the PAM configuration files:
```
cat /etc/pam.d/login
cat /etc/pam.d/sshd
cat /etc/pam.d/system-auth
```
2. Run the following grep commands to check whether the PAM configuration files include lines for the modules that you found in the secure file:
```
grep "<Module name>" /etc/pam.d/login
grep "<Module name>" /etc/pam.d/sshd
grep "<Module name>" /etc/pam.d/system-auth
```
  For example, to check whether the PAM configuration files include lines for the pam_succeed_if module, run the following commands:
```
grep "pam_succeed_if" /etc/pam.d/login
grep "pam_succeed_if" /etc/pam.d/sshd
grep "pam_succeed_if" /etc/pam.d/system-auth
```
  If the PAM configuration files include lines for the module, command outputs that contains the following information are returned:
```
/etc/pam.d/login:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
/etc/pam.d/system-auth:auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
```
If a PAM configuration file includes lines for a module in the secure log, open the configuration file and modify the lines for the module based on your business requirements.
Important
You must modify each PAM configuration file that includes lines for the modules that are found in the secure file.
1. Run the following command to open a PAM configuration file:
```
vim <Configuration file name>
```
2. Press the I key to enter Insert mode and then comment out or modify the lines based on your business requirements. For information about the syntax of PAM configuration files, see PAM Configuration (Reference).
3. Press the Esc key and enter :wq to save the changes.
4. (Optional) Repeat Steps a to c to modify other PAM configuration files.
Log on to the Linux instance. If you can log on to the instance, the issue is resolved.

Common error logs that are generated when you fail to log on to a Linux instance due to incorrect PAM configurations and the corresponding solutions

The secure log displays the following error message: requirement "uid >= 1000" not met by user "root"

Cause
PAM configuration files restrict users whose UIDs are less than 1000 from logging on to the instance.
Note
This restriction takes effect for system users to increase system security. Users whose UIDs range from 0 to 999 are system users, including root.
Solutions
- Method 1: Log on to the instance as a different user.
- Method 2: Check and modify the PAM configuration files to remove the restriction. Perform Steps 3 and 4.
  If a PAM configuration file includes the following line, the configuration file implements the restriction on system user logons. In this case, you can comment out or delete the line based on your business requirements.
```
auth required pam_succeed_if.so uid >= 1000
```

The secure log displays the following error message: Refused user <Username> for service sshd

Cause
PAM configuration files restrict a specific user from logging on to the instance.
Solutions
- Method 1: Log on the instance as a different user.
- Method 2: Check and modify the PAM configuration files to remove the restriction. Perform Steps 3 and 4.
  - If a PAM configuration file includes the following lines, the configuration file implements the restriction on logons of specific users:
```
# Configure a whitelist to allow only specific users access to the instance.
auth required pam_listfile.so item=user sense=allow file=/etc/ssh/whitelist onerr=fail

# Configure a blacklist to prevent specific users from accessing the instance.
auth required pam_listfile.so item=user sense=deny  file=/etc/ssh/blacklist onerr=fail
```
  - Modify the PAM configuration file.
    To allow users access to the instance, add the users to the whitelist, remove the users from the blacklist, or comment out the lines.
    Add users to or remove users from the whitelist
    Run the following command to open the /etc/ssh/whitelist configuration file:
    vim /etc/ssh/whitelist
    Press the I key to enter Insert mode.
    In the whitelist, add the users for whom you want to allow access.
    In this example, the following users are allowed access to the instance.
    root ecs-user test
    Press the Esc key and enter :wq to exit Insert mode and save the configuration file.

The error message "Maximum amount of failed attempts was reached" appears when you log on to a Linux instance

Cause
If the number of failed password attempts that you make for a Linux instance reaches the account lockout threshold that is specified by an authentication policy of PAM modules, your account is locked and cannot be used to log on to the instance.
Solution
1. If the root account is locked, unlock the account. Otherwise, skip this step.
  Unlock the root account
  1. Log on to the Linux instance in single-user mode.
    For more information, see Boot a Linux ECS instance into single user mode.
  2. Run the following commands in sequence to unlock the root account:
    pam_tally2 -u root #Query the number of failed password attempts that are made by the root account. pam_tally2 -u root -r #Reset the number of failed password attempts that are made by the root account. authconfig --disableldap --update #Update the PAM security authentication records.
  3. Restart the instance for the modifications to take effect.
    For more information, see Restart instances.
2. Log on to the Linux instance as root.
  For more information, see Connect to an instance by using VNC.
3. Run the following command to check whether a PAM configuration file implements authentication restrictions:
```
cat /etc/pam.d/system-auth
```
  The following command output is returned, which indicates that if the number of failed password attempts that are made by a non-root or root user reaches three, the user account is locked and cannot be used to log on to the instance for 50 seconds.
4. Resolve the issue.
  - Method 1: Wait for the account lockout duration (such as 50 seconds) that is specified by PAM to elapse. Then, log on to the instance.
  - Method 2: Modify PAM configuration files. In this example, the /etc/pam.d/system-auth configuration file is used. You can perform the same operation to modify other PAM configuration files.
    1. Run the following command to open the /etc/pam.d/system-auth configuration file:
```
vim /etc/pam.d/system-auth
```
    2. Press the I key to enter Insert mode.
    3. Comment out, modify, or delete the line that specifies the account lockout threshold and account lockout duration based on your business requirements.
      In this example, the line is commented out.
```
auth required pam_tally2.so deny=3 unlock_time=50  #This is the line that must be commented out. The line indicates that if the number of failed password attempts that are made by a non-root or root user reaches three, the user account is locked and cannot be used to log on to the instance for 50 seconds. 
#auth required pam_tally2.so deny=3 unlock_time=50 #This is the line that is commented out.
```
      Note
      In this example, the pam_tally2 module is used. Configurations may vary based on the PAM version. For more information, see Linux PAM SAG.