ssh fatal: Access denied for user by PAM account configuration [preauth]

Want to help support this blog? Try out Oh Dear, the best all-in-one monitoring tool for your entire website, co-founded by me (the guy that wrote this blogpost). Start with a 10-day trial, no strings attached.

We offer uptime monitoring, SSL checks, broken links checking, performance & cronjob monitoring, branded status pages & so much more. Try us out today!

Profile image of Mattias Geniar

Mattias Geniar, April 01, 2016

Follow me on Twitter as @mattiasgeniar

This was an interesting issue I encountered on a Linux machine. I renamed a user in /etc/passwd, but forgot to rename its entry in /etc/shadow.

The result was that every login attempt ended up logging the following and immediately closing the SSH connection for the user.

sshd[22715]: fatal: Access denied for user username by PAM account configuration [preauth]
sshd[22723]: fatal: Access denied for user username by PAM account configuration [preauth]
sshd[23144]: fatal: Access denied for user username by PAM account configuration [preauth]

So a reminder to myself: if you rename a user in /etc/passwd, also rename it in /etc/shadow.

If you encounter this error too, check if the user that’s trying to log in has a shadow-entry. It doesn’t need a password, but it needs a corresponding entry in /etc/shadow.

Want to subscribe to the cron.weekly newsletter?

I write a weekly-ish newsletter on Linux, open source & webdevelopment called cron.weekly.

It features the latest news, guides & tutorials and new open source projects. You can sign up via email below.

No spam. Just some good, practical Linux & open source content.