ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

"pam_unix: authentication failure" is issued to syslog even authentication of the user was successful by UNAB


Article ID: 7874


Updated On:


CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)


Even login as AD user via UNAB was successfull one can find in /var/log/secure
Aug 3 11:49:09 rh73 sshd[12458]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=localhost user=Administrator
Aug 3 11:49:09 rh73 sshd[12458]: Accepted password for Administrator from ::1 port 47750 ssh2
Aug 3 11:49:09 rh73 sshd[12458]: pam_unix(sshd:session): session opened for user Administrator by (uid=0)


Similarly when the user is using sesu to switch to another user

(use in seos.ini old_sesu=no, thus pam is used here as well)

Aug 3 14:02:05 rh73 sesu: pam_unix(etrust-ac:auth): authentication failure; logname=Administrator uid=2000 euid=0 tty=/dev/pts/1 ruser= rhost= user=Administrator
Aug 3 14:02:05 rh73 su: pam_unix(su:session): session opened for user root by Administrator(uid=0)


The reason for the “wrong” authentication failure messages is a misbehaviour in the native pam_unix authentication module.




To avoid the error from showing up rearrange the PAM stack configuration to prevent control from reaching pam_unix.

What we found in internal research is that using the alternative pam_ftp module which is to a certain extent working identically like the pam_unix module (without parameters) is not showing this symptom.

Replacing the first call of with allows to circumvent the issue, i.e. authentication as AD user via tty and ssh is working fine and subsequent sesu to root is also not showing any problem.
The “wrong” authentication failure message does not appear.

Put the alternative as described below in the two configuration files /etc/pam.d/password-auth and /etc/pam.d/system-auth.
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required
auth optional     #
<- this line is to be insert
#auth optional   #
<- this line is to be commented out
auth sufficient # added by UNAB (uxauth)
auth sufficient nullok try_first_pass
auth requisite uid >= 1000 quiet_success
auth required

account sufficient

Additional Information

Note that pam_unix is a 3rd party module which is out of our control for CA, hence we can not correct this misbehaviour.

Although successfully tested in house CA does not provide any guarantee for the above approach - it is recommended to do own careful regression testing to confirm all is working as expected.