login: PAM Failure, aborting Critical Error – immediate abort
by relsbury from LinuxQuestions.org on (#5ECAE)
I have a server going through IA scan mitigation - CentOS Linux release 7.7.1908 (Core)
Implemented some fixes, most notable the ones commented out below and am now receiving the following error: login: PAM Failure, aborting Critical Error - immediate abort.
Is there a typo here or can someone tell me how to totally disable or rebuild PAM from ground up. Maybe authconfig with defaults (if that's a thing)
Right now I cannot ssh in and only have console access through rescue or emergency mode
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# password requisite pam_pwhistory.so use_authtok remember=5 retry=3
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# password requisite pam_pwhistory.so use_authtok remember=5 retry=3
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
Implemented some fixes, most notable the ones commented out below and am now receiving the following error: login: PAM Failure, aborting Critical Error - immediate abort.
Is there a typo here or can someone tell me how to totally disable or rebuild PAM from ground up. Maybe authconfig with defaults (if that's a thing)
Right now I cannot ssh in and only have console access through rescue or emergency mode
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid
auth [success=done authinfo_unavail=ignore ignore=ignore default=die] pam_pkcs11.so nodebug
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# password requisite pam_pwhistory.so use_authtok remember=5 retry=3
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
cat /etc/pam.d/password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth sufficient pam_unix.so try_first_pass
auth [default=die] pam_faillock.so authfail silent even_deny_root unlock_time=never fail_interval=900 deny=3
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
# password requisite pam_pwhistory.so use_authtok remember=5 retry=3
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow try_first_pass use_authtok remember=5
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so