I recently updated my Google Cloud Compute Engine instance from NixOS 25.05 to 25.11. However, this broke my ability to ssh into the machine. I define users.users.lee.openssh.authorizedKeys.keys and this let me ssh in as lee previously, but upon updating to NixOS 25.11 it started returning “Connection Refused” with the log line from the server:
sshd-session[1334]: fatal: Access denied for user lee by PAM account configuration [preauth]
I determined this only occurred on my Google Cloud VM, because it imports ${modulesPath}/virtualisation/google-compute-image.nix which adds a PAM module to user authorization. This previously didn’t prevent me from logging in but now does for some reason. I checked the NixOS release notes but didn’t see anything about this. I was still able to login via the Google Cloud UI which creates a separate user via its guest agent.
I’ve worked around this for now by setting security.pam.services.sshd.googleOsLoginAccountVerification = lib.mkForce false;
I’d like to look more into this and determine why the login is failing otherwise, but I’m creating this thread now to give anyone else looking at upgrading a GCP instance a heads up and see if anyone else ran into this issue.