You are not logged in.
Hi all,
after the shadow update mentioned in the news and the related change of the default password hashing algorithm, the login on my machine does not work anymore. I tried it first in a VM, but my other machines have the same setup.
The login does not work in tty or display manager (LightDM, GDM). In the journal I only get the error Authentication failure[1].
I have encrypted my home directory with eCryptfs and mount it automatically on login[2]. Here is my /etc/pam.d/system-auth[3]. But also login as root without encrypted home does not work.
ENCRYPT_METHOD SHA512 in /etc/login.defs is set [4].
Now of course I am hesitant to do the update on my other machines. Does anyone have any idea where the problem could be?
[1] https://0x0.st/HVr8.txt
[2] https://wiki.archlinux.org/title/ECryptfs#Auto-mounting
[3] https://0x0.st/HVrP.txt
[4] https://0x0.st/HVrZ.txt
Thanks a lot & Best regards
hcjl
EDIT: Typos ;-)
Last edited by hcjl (2023-09-23 21:39:06)
Offline
If you drop pam_ecryptfs.so from the auth section of /etc/pam.d/system-auth can you then login as root?
Offline
Hey loqs,
thanks for the fast reply. First I commented the pam_ecryptsfs.so in the auth section and then in password and session sections as well. In both cases I cannot login as root in a tty.
If needed, here is the updated journal https://0x0.st/HVrL.txt.
Last edited by hcjl (2023-09-23 12:30:12)
Offline
If you backup your current /etc/pam.d/system-auth and replace it with the default one[1] can you then login as root? If not the problem would appear to be in /etc/login.defs.
[1] https://gitlab.archlinux.org/archlinux/ … type=heads
Last edited by loqs (2023-09-23 13:34:06)
Offline
Even with the default system-auth I cannot login as root. See updated journal[1]. My /etc/login.defs is linked in my first post. Except for changing ENCRYPT_METHOD SHA512 its the default one.
Offline
If you change /etc/login.defs to the default is the issue still present? The ENCRYT_METHOD should not be being used until a password is changed.
Offline
pacman -Qikk pambase shadow lightdm
Were your recent attempts to login as root on the console or w/ lightdm? I don't see any pam messages for the tty login failures?
Online
From the lightdm login attempts nothing shows up in the journal. Only from tty for my user nfjl and root. But with ENCRYPT_METHOD YESCRYPT in /etc/login.defs the problem still occurs. See updated journal[1].
Uploading the output of pacman -Qikk pambase shadow lightdm via curl ot 0x0.st[2] shows me 2 warnings (see below).
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permission mismatch)
Offline
Let's check every package that places a file in /etc/pam.d:
# pacman -Qikk $(pacman -Qqo /etc/pam.d/)
Last edited by loqs (2023-09-23 16:39:05)
Offline
Here it is https://0x0.st/HVza.txt. With the following warnings during output
warning: gdm: /var/lib/gdm/.config (Permission mismatch)
warning: gdm: /var/lib/gdm/.local (Permission mismatch)
warning: shadow: /usr/bin/groupmems (GID mismatch)
warning: shadow: /usr/bin/groupmems (Permission mismatch)
warning: systemd: /var/log/journal (GID mismatch)
EDIT: I tried it with gdm in the meantime.
Last edited by hcjl (2023-09-23 16:46:50)
Offline
If you replace /etc/pam.d/system-auth with the following (which only logs and permits):
#%PAM-1.0
auth required pam_warn.so
auth required pam_permit.so
account required pam_warn.so
account required pam_permit.so
password required pam_warn.so
password required pam_permit.so
session required pam_warn.so
session required pam_permit.so
Can you login or at least is anything logged?
Offline
backup file: lightdm: /etc/pam.d/lightdm (SHA256 checksum mismatch)
backup file: util-linux: /etc/pam.d/login (SHA256 checksum mismatch)
backup file: openssh: /etc/pam.d/sshd (SHA256 checksum mismatch)
Post 'em all.
Online
I cannot login neither via tty nor gdm. I cannot even enter a password but at least something was logged -> https://0x0.st/HVz9.txt
In tty I receive the message Login incorrect immediately after entering the user name.
At this point I would like to express my greatest thanks to you for your support here.
Last edited by hcjl (2023-09-23 17:16:27)
Offline
Please post /etc/pam.d/login /etc/pam.d/lightdm /etc/pam.d/sshd as seth requested. As the changes made to those configs appear very relevant.
Offline
Sure, but your solution ideas come faster than I can reply ;-)
Here they are
/etc/pam.d/lightdm -> https://0x0.st/HVzW.txt
/etc/pam.d/login -> https://0x0.st/HVz4.txt
/etc/pam.d/sshd -> https://0x0.st/HVzy.txt
Offline
What if you comment the pam_ecryptfs.so references there?
Can you login as root again?
Online
After commenting all pam_ecryptfs.so entries in the 3 files I still canot login as root in a tty -> https://0x0.st/HVz5.txt
I also checked whether there are other files in /etc/pam.d containing those entries, but those were all.
EDIT: I tried both ENCRYPT_METHOD in /etc/login.defs without success.
Last edited by hcjl (2023-09-23 17:59:29)
Offline
What if you put /etc/pam.dl/system-auth back to
#%PAM-1.0
auth required pam_faillock.so preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth [success=2 default=ignore] pam_systemd_home.so
auth [success=1 default=bad] pam_unix.so try_first_pass nullok
auth [default=die] pam_faillock.so authfail
auth optional pam_permit.so
auth required pam_env.so
auth required pam_faillock.so authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.
-account [success=1 default=ignore] pam_systemd_home.so
account required pam_unix.so
account optional pam_permit.so
account required pam_time.so
-password [success=1 default=ignore] pam_systemd_home.so
password required pam_unix.so try_first_pass nullok shadow
password optional pam_permit.so
-session optional pam_systemd_home.so
session required pam_limits.so
session required pam_unix.so
session optional pam_permit.so
If that still fails try putting /etc/pam.d/login back to
#%PAM-1.0
auth required pam_securetty.so
auth requisite pam_nologin.so
auth include system-local-login
account include system-local-login
session include system-local-login
password include system-local-login
Edit:
If that also fails. You could login to the VM before performing the update? Is there any customization related to how or what is spawned on a tty?
Last edited by loqs (2023-09-23 18:32:40)
Offline
Unfortunately there is still no login possible. But I can enter a password again in tty. Before the update logging in worked via DM (lightdm, gdm) and tty without any problems. Can you please explain, what you mean by customizations, which impact tty spawning? Afaik I did not do something like that.
EDIT: Typos ;-)
Last edited by hcjl (2023-09-23 19:20:34)
Offline
Can you please explain, what you mean by customizations, which impact tty spawning? Afaik I did not do something like that.
Essentially anything covered in Getty.
Please post the output of the following to a pastebin:
# pacman -Qkk 2>&1 | grep -Fv '0 altered files'
Offline
No I did not do any customizations to the tty. Here is the requested output -> https://0x0.st/HVi4.txt
Offline
warning: filesystem: /etc/gshadow (Permissions mismatch)
warning: filesystem: /etc/shadow (Permissions mismatch)
Probably unrelated but make sure you didn't open access to shadow.
backup file: lightdm: /etc/pam.d/lightdm (SHA256 checksum mismatch)
backup file: openssh: /etc/pam.d/sshd (SHA256 checksum mismatch)
backup file: util-linux: /etc/pam.d/login (SHA256 checksum mismatch)
Backup your versions and replace them w/ the repo ones.
Online
Will do that tomorrow. My wife is almost killing me, because I am busy with the computer the whole day... She does not care that her machine is affected as well ;-) Thx a lot to you both so far!!
Offline
My wife went to bed ;-) With the repo versions of the 3 files the problem still occurs. What really frustrates me is that the journal provides no indication of the problem.
Offline
Have you checked that you're not stuck in "faillock" (the journal runs fairly long)
Also check /etc/passwd to make sure the root account isn't just locked.
Is
Sep 23 19:50:51 arch login[809]: pam_warn(login:auth): function=[pam_sm_authenticate] flags=0 service=[login] terminal=[/dev/tty3] user=[root] ruser=[<unknown>] rhost=[<unknown>]
still there after reverting to the repo files?
Online