Power

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : DSS.FSD.MEDESUNIX@dss.mo.gov TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : XXXXX TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : XXXXX TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system

Hi Joshua,

Was working with AIX support and it looks like it is the sudo process that is attempting to establish another root session of some sort, and since the attribute of maxulogs in /etc/security/user is 1 it cannot do this, so fails with permission denied. This was easy enough to test:

# chuser maxulogs=1 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=1

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

So, only one user logged in

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

Change maxulogs to 2:

# chuser maxulogs=2 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=2

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Now if I login via a second terminal as root so there are no more available logins for root:

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

root pts/1 Nov 15 14:28 (10.99.0.131)

And we get the permission denied again:

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

And if I increase maxlogs to 3 and try again it works fine.

# chuser maxulogs=3 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=3

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Additionally, each time I enter 'sudo -l' with 'maxlogs=1' the console log gets the following (This is in the HMC terminal):

AIX Version 7

Copyright IBM Corporation, 1982, 2022.

Console login: Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Which also indicate sudo is doing something with a login session. So, setting STD_AUTH does not have the issue; however, it appears that with PAM_AUTH it causes sudo to behave differently.

This is something that the sudo executable is doing when PAM is enabled. I do see information in the sudoers man page regarding PAM:

"On systems that use PAM for authentication, sudo will create a new PAM session for the command to be run in."

https://www.sudo.ws/docs/man/1.8.27/sudoers.man/

It looks like the 'sudo -l' doing just this and the new session cannot be created because the root user's max logins has been reached.

There are some various PAM related options mentioned in the man page, I tried a few of them like '!pam_session', but this did nothing. This is a

better question for the sudo folks, or someone with access to the sudo source code to see what it is actually doing or trying to do.

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : XXXXX TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system

Checked the sudo code a bit and found :

In plugins/sudoers/auth/sudo_auth.c :

static sudo_auth auth_switch[] = {

/* Standalone entries first */

#ifdef HAVE_AIXAUTH

AUTH_ENTRY("aixauth", FLAG_STANDALONE, sudo_aix_init, NULL, sudo_aix_verify, NULL, sudo_aix_cleanup, NULL, NULL)

#endif

#ifdef HAVE_PAM

AUTH_ENTRY("pam", FLAG_STANDALONE, sudo_pam_init, NULL, sudo_pam_verify, sudo_pam_approval, sudo_pam_cleanup, sudo_pam_begin_session, sudo_pam_end_session)

#endif

in plugins/sudoers/auth/sudo_auth.h :

typedef struct sudo_auth {

unsigned int flags; /* various flags, see below */

int status; /* status from verify routine */

const char *name; /* name of the method as a string */

void *data; /* method-specific data pointer */

int (*init)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth);

int (*setup)(const struct sudoers_context *ctx, struct passwd *pw, char **prompt, struct sudo_auth *auth);

int (*verify)(const struct sudoers_context *ctx, struct passwd *pw, const char *p, struct sudo_auth *auth, struct sudo_conv_callback *callback);

int (*approval)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth, bool exempt);

int (*cleanup)(const struct sudoers_context *ctx, struct passwd *pw, struct sudo_auth *auth, bool force);

int (*begin_session)(const struct sudoers_context *ctx, struct passwd *pw, char **user_env[], struct sudo_auth *auth);

int (*end_session)(struct sudo_auth *auth);

} sudo_auth;

So things trying to run the approval function with pam will call sudo_pam_approval,() which calls AIX : pam_acct_mgmt()

Same things using standard aix auth will not call anything as it is set to NULL.

So as stated previously, that need to be checked with the opensource community.

Hi Joshua,

Was working with AIX support and it looks like it is the sudo process that is attempting to establish another root session of some sort, and since the attribute of maxulogs in /etc/security/user is 1 it cannot do this, so fails with permission denied. This was easy enough to test:

# chuser maxulogs=1 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=1

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

So, only one user logged in

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

Change maxulogs to 2:

# chuser maxulogs=2 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=2

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Now if I login via a second terminal as root so there are no more available logins for root:

# who

root pts/0 Nov 15 13:50 (10.99.0.131)

root pts/1 Nov 15 14:28 (10.99.0.131)

And we get the permission denied again:

# sudo -l

sudo: PAM account management error: Permission denied

sudo: a password is required

And if I increase maxlogs to 3 and try again it works fine.

# chuser maxulogs=3 root

# lssec -f /etc/security/user -a maxulogs -s root

root maxulogs=3

# sudo -l

User root may run the following commands on konglp3:

(ALL) ALL

Additionally, each time I enter 'sudo -l' with 'maxlogs=1' the console log gets the following (This is in the HMC terminal):

AIX Version 7

Copyright IBM Corporation, 1982, 2022.

Console login: Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Maximum number of login sessions exceeded for user root

Which also indicate sudo is doing something with a login session. So, setting STD_AUTH does not have the issue; however, it appears that with PAM_AUTH it causes sudo to behave differently.

This is something that the sudo executable is doing when PAM is enabled. I do see information in the sudoers man page regarding PAM:

"On systems that use PAM for authentication, sudo will create a new PAM session for the command to be run in."

https://www.sudo.ws/docs/man/1.8.27/sudoers.man/

It looks like the 'sudo -l' doing just this and the new session cannot be created because the root user's max logins has been reached.

There are some various PAM related options mentioned in the man page, I tried a few of them like '!pam_session', but this did nothing. This is a

better question for the sudo folks, or someone with access to the sudo source code to see what it is actually doing or trying to do.

I am getting the same error.  I get it when I run any sudo command:

(utaecegdi7301.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l

eceunix04uttap's Password:
sudo: PAM account management error: Invalid argument
sudo: a password is required

This is what the output should be:

(utaecegdi7300.hban.us(eceunix04uttap):/home/eceunix04uttap)$  sudo -l
eceunix04uttap's Password:
User eceunix04uttap may run the following commands on utaecegdi7300:
    (root) PASSWD: ALL

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : XXXXX TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system

Hello, 
Greetings to you all.  Would appreciate it if you could guide me in resolving this issue with sudo PAM account management error that I'm getting only for "root" user.  I did a lot of homework before posting this query here in the discussion group.  Basically we have PAM authentication enabled on our AIX servers running 7.2 OS TL5 SP6.  But started noticing from the past few months that whenever we are trying to run sudo command from the user root, we are getting PAM account management error:: Permission denied error.  Whereas, we are not getting the error when we trying to run sudo from a non-root user.  When we set the authentication mode to standard one (root@<SERVER> /root # chsec -f /etc/security/login.cfg -s usw -a auth_type=STD_AUTH), then we are able to run sudo without any issues from root as well as non-root users).  Issue is only happening on the root user.  I even enabled sudo debug logging but I do not see any error or fail messages in it.

oslevel -s
7200-05-06-2320
root@<SERVER> /root #

Even tried updating the sudo from sudo-1.9.5p2-1.ppc to sudo-1.9.13p2-1.ppc but its the same issue that we are facing.  I've attached the sudo debug logs for the reference.  Any help would be greatly appreciated.

root@<SERVER>/root # lssec -f /etc/security/login.cfg -s usw -a auth_type
usw auth_type=PAM_AUTH
root@<SERVER>/root #

root@<SERVER> /root # sudo -u wasadm -i
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

root@<SERVER> /root # sudo -l
sudo: PAM account management error: Permission denied
sudo: a password is required
root@<SERVER> /root #

<TESTUSER>@<SERVER>[/home/TESTUSER] $sudo -l
User TESTUSER may run the following commands on <SERVER>:
    (ALL) NOPASSWD: ALL
TESTUSER@<SERVER>[/home/TESTUSER] $

 rpm -qa | grep -i sudo
sudo-1.9.13p2-1.ppc

snip from /etc/pam.conf

sshd    auth    requisite       /usr/lib/security/pam_permission file=/etc/security/access.conf found=prohibit
sshd    auth    required       pam_aix
#sshd   auth    requisite       pam_aix
sshd    account required        pam_aix
sshd    password  required      pam_aix
sshd    session required        pam_aix

sudo    auth            required        /usr/lib/security/pam_aix
sudo    account         required        /usr/lib/security/pam_aix
sudo    password        required        /usr/lib/security/pam_aix
sudo    session         required        /usr/lib/security/pam_aix

sudo-i    auth            required        pam_aix
sudo-i    account         required        pam_aix
sudo-i    password        required        pam_aix
sudo-i    session         required        pam_aix
root@<SERVER> /root # cat /etc/security/access.conf
# THIS FILE IS GENERATED AND MAINTAINED BY MEDES
#
# DO NOT EDIT
#
# ANY MANUAL EDITS TO THIS FILE WILL BE LOST DURING NEXT UPDATE
#
# PLEASE CONTACT : XXXXX TO REQUEST CHANGES
#
# All modification to this file are monitored and audited.
#

+@system