PAM (Pluggable Authentication Modules) authentication fails during SSH login. This typically means the authentication module rejected the credentials or user account. Common causes include incorrect passwords, disabled user accounts, invalid PAM configuration, or SSH/PAM incompatibilities after system updates.
PAM is a flexible authentication framework that SSH uses to validate user credentials. When you see "error: PAM: Authentication failure for user from hostname," it means the PAM subsystem on the SSH server rejected your login attempt. This can happen at various stages: password verification through pam_unix, directory service lookups (LDAP/SSSD), account status checks, or PAM module configuration issues. The error is logged by sshd when authentication fails, appearing in system logs like /var/log/auth.log (Debian/Ubuntu) or /var/log/secure (RHEL/CentOS).
Double-check that you are entering the correct username and password. Pay special attention to:
- Capitalization (usernames and passwords are case-sensitive)
- Special characters that may be interpreted differently on various keyboard layouts
- Spaces before or after the username
If you're using a special character like (, ), @, or #, try using a simpler password temporarily to isolate keyboard layout issues.
If you have physical or console access, try logging in locally at the terminal:
login
# Enter username and passwordIf local login succeeds but SSH fails, the issue is SSH/PAM configuration, not account status. If local login also fails, the account itself is likely disabled or password-related.
Check the SSH authentication logs for more detailed error messages:
On Debian/Ubuntu:
sudo tail -f /var/log/auth.log
# Look for lines with "sshd", "PAM", and the usernameOn RHEL/CentOS:
sudo tail -f /var/log/secure
# Look for lines with "sshd", "PAM", and the usernameThe logs may reveal the specific PAM module that failed (e.g., pam_unix, pam_sss, pam_ldap).
As root or with sudo, check the account status:
# Check if account is locked
sudo passwd -S username
# Check expiration date
sudo chage -l username
# Verify user shell is valid
sudo getent passwd username
# Look for the shell in /etc/shells
cat /etc/shellsIf the account is locked (marked with LK or similar), unlock it:
sudo passwd -u usernameIf the shell is invalid, update it:
sudo usermod -s /bin/bash usernameReview /etc/ssh/sshd_config for incompatible settings:
sudo grep -E "^(UsePAM|PasswordAuthentication|ChallengeResponseAuthentication|PermitRootLogin)\s" /etc/ssh/sshd_configEnsure these are set appropriately:
UsePAM yes
PasswordAuthentication yes
ChallengeResponseAuthentication no
# OR for key-only auth:
# PasswordAuthentication noAfter making changes, validate and reload:
sudo sshd -t
sudo systemctl restart ssh # or sshdIf you're using LDAP, Kerberos, or SSSD for authentication, check if the directory service is responding:
# Test LDAP connectivity (if using LDAP)
sudo ldapsearch -x -H ldap://ldapserver -D "cn=admin,dc=example,dc=com" -W
# Check SSSD status (if using SSSD)
sudo systemctl status sssd
sudo sssd -d 0x0fff # Enable verbose logging
# Verify identity provider is working
getent passwd username
getent group groupnameIf directory service is unreachable, resolve connectivity before attempting SSH login.
PAM failures can have different root causes depending on the authentication stack. When PAM processing includes pam_unix (local authentication), you'll see "pam_unix(sshd:auth): authentication failure" before PAM reports the overall failure. If using sssd or LDAP, the first pam_unix failure is expected (it tries local first), followed by pam_sss success. This is normal behavior. The "UsePAM yes" directive in sshd_config enables PAM for account and session checks; when combined with PasswordAuthentication yes, it enforces PAM authentication. This provides security benefits (password policies, session logging) but requires correct PAM configuration. On systems with recent OpenSSH updates, incompatibility between PasswordAuthentication and ChallengeResponseAuthentication can cause PAM authentication to be rejected. If keyboard-interactive (challenge-response) authentication is enabled, disable one method or ensure both are properly configured in /etc/pam.d/sshd. For rootless systems or containers, PAM may not be available, requiring UsePAM no and key-based authentication instead.
Load key "/home/user/.ssh/id_rsa": invalid format
How to fix 'Load key invalid format' in SSH
Bad owner or permissions on /home/user/.ssh/config
How to fix "Bad owner or permissions on .ssh/config" in SSH
Error connecting to agent: Connection refused
How to fix "Error connecting to agent: Connection refused" in SSH
Connection closed by UNKNOWN port 65535
How to fix 'Connection closed by UNKNOWN port 65535' in SSH
Offending ECDSA key in /home/user/.ssh/known_hosts:line
How to fix "Offending ECDSA key in known_hosts" in SSH