PAM update caused access issues and privilege elevation issues

SUSE Linux Enterprise Server 15 SP6
SUSE Linux Enterprise Server for SAP Applications 15 SP6

A system was updated with SUSE-SLE-Module-Basesystem-15-SP6-2025-1334, which updated pam to version 1.3.0-150000.6.76.1.  The PAM update appeared to introduce issues with authentication.

Local users can not log in to system with ssh.  Users defined in directory service ( LDAP / AD ) still can be  authenticated with ssh.

None of the local users nor users in directory service can elevate rights using su or sudo command.

The system is logging the following error messages in the system log:

unix_chkpwd[12139]: check pass; user unknown
unix_chkpwd[12139]: password check failed for user (root)
unix_chkpwd[12158]: could not obtain user info (root)

The apparmor update released May/2025 3.1.7-150600.5.9.1 (apparmor-profiles-3.1.7-150600.5.9.1) contains the fix. It adds the 'capability dac_read_search' syntax into the /etc/apparmor.d/unix_chkpwd file.

To make sure the new apparmor profile is loaded on a running system, the following command should be used to trigger a reload:

systemctl reload apparmor.service

If it is not possible to update apparmor, an alternative is to downgrade pam to version 1.3.0-150000.6.71.1 :

• If the system is SUSE Multi-Linux Manager client , the downgrade can be pushed from Manager interface.
• If the system is registered with SCC , RMT, or SMT, then the downgrade would require accessing system in rescue environment and while network connection is up use chroot mode to downgrade PAM to 1.3.0-150000.6.71.2 version with :

zypper install --oldpackage pam-1.3.0-150000.6.71.2

Latest PAM update 1.3.0-150000.6.76.1 brought the following change: 
CVE fix : unix_chkpwd is now used unconditionally.
This caused following errors:

unix_chkpwd[12139]: check pass; user unknown
unix_chkpwd[12139]: password check failed for user (root)
unix_chkpwd[12158]: could not obtain user info (root)

This was fixed within the bcs#1234452, though the fix has yet to be released with apparmor maintenance update.  However this same PAM 1.3.0-150000.6.76.1 update caused issue when system is configured based on the STIG hardening practices and the /etc/shadow file was set with 0000 permissions.

Workaround (included in the apparmor 3.1.7-150600.5.9.1 update) was to add: 
capability dac_read_search
into the /etc/apparmor.d/unix_chkpwd file .

Based on communication in the bug this issue might not be only within apparmor.  SELINUX might be also affected.  Therefore, SLE Micro may also be affected.