What should I do if the error "requirement "uid >= 1000" not met by user "root"" is displayed?

Problem Description

When logging in to the ECS instance of the Linux system through the local SSH client, even if the correct password is entered, the login cannot be performed normally. Execute cat /var/log/secure to view the secure log. The log contains the following error information.

pam_succeed_if(sshd:auth): requirement "uid >= 1000" not met by user "root".

Problem Causes

The policy configuration of the PAM-related modules in the ECS instance of the Linux system prohibits users whose UID (User IDentification) is less than 1000 from logging in.

NOTE PAM (Pluggable Authentication Modules) is an authentication mechanism proposed by Sun. By providing some dynamic link libraries and a set of unified API, the service provided by the system and the authentication method of the service are separated. It enables system administrators to flexibly configure different authentication methods for different services according to requirements without changing service programs, and it is also convenient to add new authentication methods to the system.
The PAM configuration files related to SSH in the Linux system mainly include the following three. If PAM authentication restricts remote connections (such as pam_succeed_if.so uid >= 1000), it means that users with UID ≥ 1000 can connect to ECS instances remotely.

• /etc/pam.d/login: the configuration file corresponding to the console (management terminal).

• /etc/pam.d/sshd: configuration file corresponding to SSH remote login.

• /etc/pam.d/system-auth: System global configuration file.

Solution

This article solves this problem by modifying the /etc/pam.d/login configuration file in the ECS instance. The method of modifying the /etc/pam.d/sshd and /etc/pam.d/system-auth files is similar.

a. Connect to the Linux instance through VNC.

b. Run the following command to check whether there is abnormal information in the /etc/pam.d/login configuration file.

cat /etc/pam.d/login

If the following information exists, only users with UID ≥ 1000 can remotely connect to the ECS instance.

auth required pam_succeed_if.so uid >= 1000

3. Modify the /etc/pam.d/login configuration file.

a. Run the following command to open the /etc/pam.d/login configuration file.

vim /etc/pam.d/login

b. Modify the configuration or add # before the line to comment out the configuration.

auth required pam_succeed_if.so uid <= 1000 # Modify strategy
# auth required pam_succeed_if.so uid >= 1000 # Comment related configuration

c. Press the Esc key and enter: wq to save.

4. Reconnect to the ECS instance remotely to ensure that you can log in normally.v