[Solved] Login no longer possible after shadow update

hcjl · 2023-09-23 11:50:35

Hi all,

after the shadow update mentioned in the news and the related change of the default password hashing algorithm, the login on my machine does not work anymore. I tried it first in a VM, but my other machines have the same setup.

The login does not work in tty or display manager (LightDM, GDM). In the journal I only get the error Authentication failure[1].

I have encrypted my home directory with eCryptfs and mount it automatically on login[2]. Here is my /etc/pam.d/system-auth[3]. But also login as root without encrypted home does not work.

ENCRYPT_METHOD SHA512 in /etc/login.defs is set [4].

Now of course I am hesitant to do the update on my other machines. Does anyone have any idea where the problem could be?

[1] https://0x0.st/HVr8.txt
[2] https://wiki.archlinux.org/title/ECryptfs#Auto-mounting
[3] https://0x0.st/HVrP.txt
[4] https://0x0.st/HVrZ.txt

Thanks a lot & Best regards
hcjl

EDIT: Typos ;-)

Last edited by hcjl (2023-09-23 21:39:06)

loqs · 2023-09-23 12:14:38

If you drop pam_ecryptfs.so from the auth section of /etc/pam.d/system-auth can you then login as root?

hcjl · 2023-09-23 12:29:41

Hey loqs,
thanks for the fast reply. First I commented the pam_ecryptsfs.so in the auth section and then in password and session sections as well. In both cases I cannot login as root in a tty.

If needed, here is the updated journal https://0x0.st/HVrL.txt.

Last edited by hcjl (2023-09-23 12:30:12)

loqs · 2023-09-23 13:22:27

If you backup your current /etc/pam.d/system-auth and replace it with the default one[1] can you then login as root? If not the problem would appear to be in /etc/login.defs.

[1] https://gitlab.archlinux.org/archlinux/ … type=heads

Last edited by loqs (2023-09-23 13:34:06)

hcjl · 2023-09-23 13:59:43

Even with the default system-auth I cannot login as root. See updated journal[1]. My /etc/login.defs is linked in my first post. Except for changing ENCRYPT_METHOD SHA512 its the default one.

[1] https://0x0.st/HVsP.txt

loqs · 2023-09-23 14:13:34

If you change /etc/login.defs to the default is the issue still present? The ENCRYT_METHOD should not be being used until a password is changed.

seth · 2023-09-23 15:45:08

pacman -Qikk pambase shadow lightdm

Were your recent attempts to login as root on the console or w/ lightdm? I don't see any pam messages for the tty login failures?

hcjl · 2023-09-23 16:34:49

From the lightdm login attempts nothing shows up in the journal. Only from tty for my user nfjl and root. But with ENCRYPT_METHOD YESCRYPT in /etc/login.defs the problem still occurs. See updated journal[1].

Uploading the output of pacman -Qikk pambase shadow lightdm via curl ot 0x0.st[2] shows me 2 warnings (see below).

warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permission mismatch)

[1] https://0x0.st/HVzb.txt
[2] https://0x0.st/HVzc.txt

loqs · 2023-09-23 16:37:09

Let's check every package that places a file in /etc/pam.d:

# pacman -Qikk $(pacman -Qqo /etc/pam.d/)

Last edited by loqs (2023-09-23 16:39:05)

hcjl · 2023-09-23 16:45:56

Here it is https://0x0.st/HVza.txt. With the following warnings during output

warning: gdm: /var/lib/gdm/.config (Permission mismatch)
warning: gdm: /var/lib/gdm/.local (Permission mismatch)
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permission mismatch)
warning: systemd: /var/log/journal (GID mismatch)

EDIT: I tried it with gdm in the meantime.

Last edited by hcjl (2023-09-23 16:46:50)

loqs · 2023-09-23 16:56:15

If you replace /etc/pam.d/system-auth with the following (which only logs and permits):

#%PAM-1.0
auth      required   pam_warn.so
auth      required   pam_permit.so
account   required   pam_warn.so
account   required   pam_permit.so
password  required   pam_warn.so
password  required   pam_permit.so
session   required   pam_warn.so
session   required   pam_permit.so

Can you login or at least is anything logged?

seth · 2023-09-23 16:57:53

backup file: lightdm: /etc/pam.d/lightdm (SHA256 checksum mismatch)
backup file: util-linux: /etc/pam.d/login (SHA256 checksum mismatch)
backup file: openssh: /etc/pam.d/sshd (SHA256 checksum mismatch)

Post 'em all.

hcjl · 2023-09-23 17:14:02

I cannot login neither via tty nor gdm. I cannot even enter a password but at least something was logged -> https://0x0.st/HVz9.txt
In tty I receive the message Login incorrect immediately after entering the user name.

At this point I would like to express my greatest thanks to you for your support here.

Last edited by hcjl (2023-09-23 17:16:27)

loqs · 2023-09-23 17:21:56

Please post /etc/pam.d/login /etc/pam.d/lightdm /etc/pam.d/sshd as seth requested. As the changes made to those configs appear very relevant.

hcjl · 2023-09-23 17:26:43

Sure, but your solution ideas come faster than I can reply ;-)

Here they are
/etc/pam.d/lightdm -> https://0x0.st/HVzW.txt
/etc/pam.d/login -> https://0x0.st/HVz4.txt
/etc/pam.d/sshd -> https://0x0.st/HVzy.txt

seth · 2023-09-23 17:33:49

What if you comment the pam_ecryptfs.so references there?
Can you login as root again?

hcjl · 2023-09-23 17:57:19

After commenting all pam_ecryptfs.so entries in the 3 files I still canot login as root in a tty -> https://0x0.st/HVz5.txt
I also checked whether there are other files in /etc/pam.d containing those entries, but those were all.

EDIT: I tried both ENCRYPT_METHOD in /etc/login.defs without success.

Last edited by hcjl (2023-09-23 17:59:29)

loqs · 2023-09-23 18:12:02

What if you put /etc/pam.dl/system-auth back to

#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

If that still fails try putting /etc/pam.d/login back to

#%PAM-1.0

auth       required     pam_securetty.so
auth       requisite    pam_nologin.so
auth       include      system-local-login
account    include      system-local-login
session    include      system-local-login
password   include      system-local-login

Edit:
If that also fails. You could login to the VM before performing the update? Is there any customization related to how or what is spawned on a tty?

Last edited by loqs (2023-09-23 18:32:40)

hcjl · 2023-09-23 19:12:38

Unfortunately there is still no login possible. But I can enter a password again in tty. Before the update logging in worked via DM (lightdm, gdm) and tty without any problems. Can you please explain, what you mean by customizations, which impact tty spawning? Afaik I did not do something like that.

EDIT: Typos ;-)

Last edited by hcjl (2023-09-23 19:20:34)

loqs · 2023-09-23 19:28:57

hcjl wrote:

Can you please explain, what you mean by customizations, which impact tty spawning? Afaik I did not do something like that.

Essentially anything covered in Getty.
Please post the output of the following to a pastebin:

# pacman -Qkk 2>&1 | grep -Fv '0 altered files'

hcjl · 2023-09-23 19:43:46

No I did not do any customizations to the tty. Here is the requested output -> https://0x0.st/HVi4.txt

seth · 2023-09-23 19:54:12

warning: filesystem: /etc/gshadow (Permissions mismatch)
warning: filesystem: /etc/shadow (Permissions mismatch)

Probably unrelated but make sure you didn't open access to shadow.

backup file: lightdm: /etc/pam.d/lightdm (SHA256 checksum mismatch)
backup file: openssh: /etc/pam.d/sshd (SHA256 checksum mismatch)
backup file: util-linux: /etc/pam.d/login (SHA256 checksum mismatch)

Backup your versions and replace them w/ the repo ones.

hcjl · 2023-09-23 20:01:40

Will do that tomorrow. My wife is almost killing me, because I am busy with the computer the whole day... She does not care that her machine is affected as well ;-) Thx a lot to you both so far!!

hcjl · 2023-09-23 20:34:01

My wife went to bed ;-) With the repo versions of the 3 files the problem still occurs. What really frustrates me is that the journal provides no indication of the problem.

seth · 2023-09-23 20:41:22

Have you checked that you're not stuck in "faillock" (the journal runs fairly long)
Also check /etc/passwd to make sure the root account isn't just locked.

Is

Sep 23 19:50:51 arch login[809]: pam_warn(login:auth): function=[pam_sm_authenticate] flags=0 service=[login] terminal=[/dev/tty3] user=[root] ruser=[<unknown>] rhost=[<unknown>]

still there after reverting to the repo files?

Arch Linux

#1 2023-09-23 11:50:35

[Solved] Login no longer possible after shadow update

#2 2023-09-23 12:14:38

Re: [Solved] Login no longer possible after shadow update

#3 2023-09-23 12:29:41

Re: [Solved] Login no longer possible after shadow update

#4 2023-09-23 13:22:27

Re: [Solved] Login no longer possible after shadow update

#5 2023-09-23 13:59:43

Re: [Solved] Login no longer possible after shadow update

#6 2023-09-23 14:13:34

Re: [Solved] Login no longer possible after shadow update

#7 2023-09-23 15:45:08

Re: [Solved] Login no longer possible after shadow update

#8 2023-09-23 16:34:49

Re: [Solved] Login no longer possible after shadow update

#9 2023-09-23 16:37:09

Re: [Solved] Login no longer possible after shadow update

#10 2023-09-23 16:45:56

Re: [Solved] Login no longer possible after shadow update

#11 2023-09-23 16:56:15

Re: [Solved] Login no longer possible after shadow update

#12 2023-09-23 16:57:53

Re: [Solved] Login no longer possible after shadow update

#13 2023-09-23 17:14:02

Re: [Solved] Login no longer possible after shadow update

#14 2023-09-23 17:21:56

Re: [Solved] Login no longer possible after shadow update

#15 2023-09-23 17:26:43

Re: [Solved] Login no longer possible after shadow update

#16 2023-09-23 17:33:49

Re: [Solved] Login no longer possible after shadow update

#17 2023-09-23 17:57:19

Re: [Solved] Login no longer possible after shadow update

#18 2023-09-23 18:12:02

Re: [Solved] Login no longer possible after shadow update

#19 2023-09-23 19:12:38

Re: [Solved] Login no longer possible after shadow update

#20 2023-09-23 19:28:57

Re: [Solved] Login no longer possible after shadow update

#21 2023-09-23 19:43:46

Re: [Solved] Login no longer possible after shadow update

#22 2023-09-23 19:54:12

Re: [Solved] Login no longer possible after shadow update

#23 2023-09-23 20:01:40

Re: [Solved] Login no longer possible after shadow update

#24 2023-09-23 20:34:01

Re: [Solved] Login no longer possible after shadow update

#25 2023-09-23 20:41:22

Re: [Solved] Login no longer possible after shadow update

Board footer