Support Questions
Find answers, ask questions, and share your expertise

Knox authentication with PAM


Hello Team,


I have an issue with setting the Knox authentication with PAM. I have the default login in /etc/pam.d/




$ cat /etc/pam.d/login
auth [user_unknown=ignore success=ok ignore=ignore default=bad]
auth       substack     system-auth
auth       include      postlogin
account    required
account    include      system-auth
password   include      system-auth
# close should be the first session rule
session    required close
session    required
session    optional
# open should only be followed by sessions to be executed in the user context
session    required open
session    required
session    optional force revoke
session    include      system-auth
session    include      postlogin
-session   optional



Knox-sso looks as following (the default one)



I created a user named - test with a password. I tried to access the Knox Gateway UI but I get the issue.



The Knox Gateway log says:


( - Shiro unable to login: null



Note: I am using CDP 7.1.6 and I can login to my host (where Knox Gateway is installed) using the test user. Also, there's no Kerberos setup.


Please share if there's something that needs to be adjusted.


Best Regards











Super Collaborator

@Sayed016 Can you check the permission on /etc/shadow file, make sure it has 444 permission

View solution in original post


Super Collaborator

@Sayed016 Can you check the permission on /etc/shadow file, make sure it has 444 permission


Yes, that resolved the issue! I had 000 as my permission. Thank you @Scharan I appreciate the quick reply.




@Scharan Can you please give a short explanation as my customer is asking for it as to why shadow file matters in this case i.e. what's the relation with Knox with shadow file? Thank you! 


Super Collaborator

@Sayed016 Not only knox whatever the service may  be the Pam authentication requires Read permission on /etc/shadow file 

Refer to the below doc for more info


@Scharan Thank you! This helps. I appreciate!


; ;