Root Password Broken - authentication not catching /etc/shadow changes

greennick · 09-18-2005, 02:39 PM

Any attempt to access the root password on my system fails - su, graphical configuration tools (or even command line ones), etc., fails to recognize the password. I've tried every password I've ever used on this system, without success (always returns "Authentication failure. Sorry").

Sudo continues to work from a user account as well as an open root terminal, and through these I can get passwd to successfully change the root password - changes are visible in /etc/shadow, but still the new passwords (or even the old ones) don't work for su or distribution configuration tools.

Interestingly, rlogin does respond to the password change, using "rlogin systemname -l root" from the same system. Nothing "local" works. I tried changing the password, elminating the password from /etc/shadow, or copying another user's password to root in /etc/shadow, all with the same results.

So what do su and other system tools use to authenticate the root password? Are the changes to /etc/shadow just taking a while to get to these programs (i.e. they need a restart? seems too windoze-like to me), or do these programs look somewhere other than /etc/shadow that needs some additional help to get updated? What's up here?

I'm using 64Studio's audio-optimized distribution of Debian testing/etch on a 64-bit P4 system.

Matir · 09-18-2005, 02:42 PM

This sounds like an issue with PAM configuration. Have you looked in /var/log/secure* or /var/log/auth* or similar logfiles to find details on why it is rejecting your login?

greennick · 09-19-2005, 03:08 PM

Thanks for the lead. I don't have any /var/log/secure* logs, but I did find the auth.log, without any obvious clues.
Here's a common entry from /var/log/auth.log:

Sep 18 12:37:18 localhost su[2777]: (pam_unix) authentication failure; logname=luke uid=1000 euid=1000 tty=pts/1 ruser=luke rhost= user=root
Sep 18 12:37:21 localhost su[2777]: pam_authenticate: Authentication failure
Sep 18 12:37:21 localhost su[2777]: - pts/1 luke:root
Sep 18 12:37:29 localhost sshd[2780]: Accepted keyboard-interactive/pam for root from ::ffff:127.0.0.1 port 50075 ssh2
Sep 18 12:37:29 localhost sshd[2783]: (pam_unix) session opened for user root by root(uid=0)

I'm still looking for more info on PAM, will post when I get further along. I have a different problem that I suspect may be related - I'm not seeing changes I made in user groups reflected...I added my user to a few groups (system, music) using users-admin but I'm not seeing those groups show up in id's report or when I try to actually use those permissions. I'm tempted to reboot and see if that helps, but I'm mildly creeped out by the windows-ness of that solution if it works. ; )

Matir · 09-19-2005, 05:11 PM

Yeah, those both seem like a pam issue. Look in the /etc/pam.d directory for configuration for each of the services.

hungrigerhaifisch · 09-20-2005, 06:57 AM

Quote:

Yeah, those both seem like a pam issue. Look in the /etc/pam.d directory for configuration for each of the services.

ok, have the same problem...I did a "deep-upgrade" and let emerge overwrite my configfiles in /etc.
Since then I cannot accsess my root account and I haven't got sudo installed.
I have tried chrooting into my system (from the llive cd) and changing root's password, with no effect.

What needs changing in /etc/pam.d to either allow for changes or to reset the password in some other way?

Matir · 09-20-2005, 07:40 AM

Well, all the stable updates I've seen in portage wouldn't break things. Can you still log in as a user? What files do you have in /etc/pam.d?

hungrigerhaifisch · 09-20-2005, 10:53 AM

my normal user can still log in.
these are the files in /etc/pam.d

Code:

chage     cups           groupdel  imaps     pop     sshd         usermod
chfn      gdm            groupmod  login     pop3    su           xdm
chpasswd  gdm-autologin  imap      newusers  pop3s   system-auth  xscreensaver
chsh      gdmsetup       imap4     other     pops    useradd      xserver
cron      groupadd       imap4s    passwd    shadow  userdel

Matir · 09-20-2005, 11:26 AM

I would look at the system-auth, shadow, and su files. Also, have you tried doing a fresh emerge sync and upgrade? Perhaps a bug has been fixed.

hungrigerhaifisch · 09-20-2005, 12:18 PM

This is my system-auth, I don't have a clue to what it all means. Su and shadow are masked, i'll have to reboot with my livecd to view them...
Also, I cannot emerge without using the root account (or su)

Code:

#%PAM-1.0

auth       required     pam_env.so
auth       sufficient   pam_unix.so likeauth nullok
auth       required     pam_deny.so

account    required     pam_unix.so

password   required     pam_cracklib.so retry=3
password   sufficient   pam_unix.so nullok md5 shadow use_authtok
password   required     pam_deny.so

session    required     pam_limits.so
session    required     pam_unix.so

Matir · 09-20-2005, 12:20 PM

That is the same as mine.

If it's of any help, here are the md5sums for my pam.d configuration files, so you can see if yours differ:

Code:

60d44a6f43aafcb9ca35858ab2534a49  chage
60d44a6f43aafcb9ca35858ab2534a49  chfn
60d44a6f43aafcb9ca35858ab2534a49  chpasswd
60d44a6f43aafcb9ca35858ab2534a49  chsh
5eab102dfecfc35810ab8cf50f95d0d3  cron
7242b8a2000fe4c5a2b398e6602f7f1c  cups
2edddb54af0c3c979b9ef73ba52deb4a  gdm
6c45b586e2cf16cf89ab544197b12bae  gdm-autologin
89cc8ab9525284af6babcb9c86122443  gdmconfig
60d44a6f43aafcb9ca35858ab2534a49  groupadd
60d44a6f43aafcb9ca35858ab2534a49  groupdel
60d44a6f43aafcb9ca35858ab2534a49  groupmod
e75c39fbdac8eec750d84a7183ac6721  imap
e75c39fbdac8eec750d84a7183ac6721  imap4
e75c39fbdac8eec750d84a7183ac6721  imap4s
e75c39fbdac8eec750d84a7183ac6721  imaps
a5311bbc9c1fc378a6b0bfb3ca1b2394  login
60d44a6f43aafcb9ca35858ab2534a49  newusers
344d17a865edc40adebe07797853c839  other
a1c7fb84c2dc309db86ba7b8d3dfae76  passwd
e75c39fbdac8eec750d84a7183ac6721  pop
e75c39fbdac8eec750d84a7183ac6721  pop3
e75c39fbdac8eec750d84a7183ac6721  pop3s
e75c39fbdac8eec750d84a7183ac6721  pops
849aa086002eda305d4d6d59a94fadd8  rexec
ec3d6de902670c90897507f4a098f668  rlogin
7b9d8d0930734500608538c166d0179a  rsh
b6cdc1468e45f92f19873e0c6c5b6e94  samba
839ac3a5c896513a3e3c6353a6242f53  screen
60d44a6f43aafcb9ca35858ab2534a49  shadow
b86ae0c43a704c4ee2abd2ce5c955f8f  sshd
942190363cb06bd4cf1b3acdcca6c513  su
6c08a6d5527a45278ebc165df7f0031d  sudo
1baa646400c4a596290e9d4b9e1c09b2  system-auth
60d44a6f43aafcb9ca35858ab2534a49  useradd
60d44a6f43aafcb9ca35858ab2534a49  userdel
60d44a6f43aafcb9ca35858ab2534a49  usermod
d0cb338160e3be8790524af8071cc4df  xdm
6eb40b28a36f889d0f1919cdbf160ef7  xscreensaver
9cb44182ea92068b22973bcb0afda322  xserver

You can use md5sum -c to check those against yours. None of mine have been modified and are the stock ones from gentoo.

hungrigerhaifisch · 09-20-2005, 12:49 PM

what is the exact syntax for the md5sum command, I don't seem to be able to get it to work

but, I did a ls -l which shows when the files were last modified, and some (see list) were modified on monday (when I did the update).
Here they are, with content:
cron:

Code:

#%PAM-1.0
account required        pam_unix.so
auth    required        pam_unix.so
session optional        pam_limits.so

imap + all links refering to it:

Code:

# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 1.1 2005/04/29 13:07:50 ticho $
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

pop + all links refering to it:

Code:

# Provided by mailbase (dont remove this line!)
# Standard pam.d file for mail service packages.
# $Header: /var/cvsroot/gentoo-x86/net-mail/mailbase/files/common-pamd-include,v 1.1 2005/04/29 13:07:50 ticho $
auth       required     pam_nologin.so
auth       include      system-auth
account    include      system-auth
session    include      system-auth

sshd:

Code:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_shells.so
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth

xdm:

Code:

#%PAM-1.0
auth       required     pam_stack.so service=system-auth
auth       required     pam_nologin.so
account    required     pam_stack.so service=system-auth
password   required     pam_stack.so service=system-auth
session    required     pam_stack.so service=system-auth
session    optional     pam_console.so

xserver:

Code:

#%PAM-1.0
auth       sufficient   pam_rootok.so
# Next line you need console ownership to be able to start X
#auth       required     pam_console.so
auth       required     pam_permit.so
account    required     pam_permit.so

Matir · 09-20-2005, 12:55 PM

What's odd is that su isn't changed at all.

To check the md5sums, do:

Code:

$ md5sum -c
paste the md5sum data above here and press CTRL-D

hungrigerhaifisch · 09-20-2005, 01:41 PM

I've managed it. I can now log in as root or do su.
I don't know why, but I never tried actually changing my root password when chrooting into my system from the livecd. I always entered my old root password.
This time I opted for a new one, and guess what, it worked. I'm now back to normal again.

Thank You very much for your time and help, even though we (more or less) were going in the wrong direction...
But I did try out the md5sum -c command as instructed, just to receive a bunch of errors about not having the permission to accsess the files.
I guess I'll need root priviliges

Well thanks again, I'm off for a drink now!

Matir · 09-20-2005, 01:50 PM

No problem. Glad you got it working.

Ah, a drink... 7 months, 4 days, 11 hours, and 12 minutes left.

hungrigerhaifisch · 09-20-2005, 07:06 PM

?????????? what on earth do you mean ???
Answer, as I am having diffuculty with the typing...