The Problem
On a CentOS/RHEL 7 server, passwordless SSH for local users is not working. This server uses LDAP and all the LDAP user accesses are working fine. If we add a local user in /etc/security/access.conf then there is no issue with the connection. However, adding the username in /etc/security/access.conf file may not be an acceptable workaround depending on a customer’s internal security policies.
Root Cause
This issue happens as there are no privileges set for local users on the system which is using LDAP as its primary authentication method. The following error will be seen in the secure log file:
Jul 31 04:05:43 hcusalpbidmbi1s sshd[25861]: pam_access(sshd:account): access denied for user `infbiftp' from `dm-bii-dev-01.am.health.ge.com' Jul 31 04:05:43 hcusalpbidmbi1s sshd[25861]: pam_sss(sshd:account): Access denied for user infbiftp: 10 (User not known to the underlying authentication module) >>>> Jul 31 04:05:43 hcusalpbidmbi1s sshd[25861]: fatal: Access denied for user infbiftp by PAM account configuration [preauth] >>>>
The Solution
1. Edit the /etc/sshd/sshd_conf and add the following line:
# vi /etc/sshd/sshd_conf AllowUsers username
Replace with the correct username, then save the file.
2. Edit the /etc/pam.d/sshd file and add the following line:
# vi /etc/pam.d/sshd account sufficient pam_localuser.so
Save the file.
3. Restart the sshd service as well as sssd service.
# systemctl sshd restart # systemctl sssd restart