Do you have SELinux enabled on the affected server? We have seen issues in the past where SELinux running concurrently with PIM can cause issues logging in. If it is enabled, I would suggest going to /opt/CA/AccessControl/lbin and running sshd_policy.sh to test if that resolves your issue.
If that does not work, or if SELinux is not enabled on the server, than it is likely an issue with a rule in seosdb. After a user fails to log into the server, what does the seaudit output show?
CA Support Engineer
Thanks Brian.. but no, SElinux is not enable, the Linux servers (RHEL 7) have applied CIS L1 hardening..
We have no any rule enable.. either CA PIM agent running or not, cannot login..
The CIS L1 hardening is causing the issue with the PAM stack, please open an issue so we can investigate the root cause. When you open the case, please include any documentation you used to perform the CIS L1 hardening. In addition, please use the command `ssh -v USER@SERVER` to perform a debug SSH connection to reproduce the issue, this way we can see where it is failing.
Thanks Brian.. I will open a case.