Root login suddenly dead
 

Hello,

I've been happily running Slack 10 on my laptop for about 9 months now, and beyond a few configuration hiccups I still havn't fixed, it's been working nicely as my day to day computer. I shutdown last night, and this morning I started up and logged in as my individual user, as always, without any problems.

Now, since I have returned from school, I have had to su and use the package 'switchto' to change from my school default settings to that of my home network. Problem is, it wouldn't accept my root password. Yes, I have ensured the password is actually being entered correctly.

After rebooting, and trying some different configurations, I still cannot login as root, or su, while my main user account works fine. From a prompt, it says "Login incorrect", and when trying to su from a console within X, "Authentication failure".

Any ideas why this may have changed all of a sudden, and what I can try to fix it? Searching hasn't turned up anything like my situation, and yes, I am very new at this.....thanks in advance!

Try "login" command from single user mode. That will tell you what exactly your problem is!

Changing your password from single user mode is also a good idea :-)

/ Rinish (rinishriju)

Ok, so I passed the arguement "single" to my usual kernel config at boot with lilo, and after waiting a few minutes for my network connection attempts to timeout, it said switching to runlevel 1, which is single user mode.

Then, I am prompted as follows:

(none) login: root
Password:
login(pam_unix)[1593]: authentication failure; logname= uid=0 euid=0 tty=tty1 ruser=rhost= user=root
login[1593]: FAILED LOGIN 1 FROM FOR root, Authentication failure
Login incorrect


Hmmmmmmmm, what now?

Boot from a CD-ROM. Then start looking around.

I ended up booting off my cd and changing /etc/shadow to reset my root password (and having to learn some vi along the way :cry: ), so all is working for the moment.

but, the lingering question is still, why would the root password suddenly change like that? It was SOmething, as it had an encrypted form in the /etc/shadow, but it certainly wasn't anything of my setting. What exactly should I consider looking for?

Take the machine off the Internet, boot up in the CD-ROM and start checking for the rootkit. :(

Did you do any upgrades to your dropline installation
recently? I'm not saying that you haven't been rooted,
it's just that Slack normally doesn't use PAM at all ...


Cheers,
Tink

Hmm. I'd be a bit concerned about this. Seeing as the standard user passwords work, it appears that PAM's authentication mechanisms are working properly. Seems more likely that someone has either taken over your machine or the password was changed/forgotten.

There wouldn't be any recent Dropline updates because we stopped building for Slackware 10.0 some time ago, but an update can certainly be forced. Have you been keeping up with the Slackware security updates?

I have not updated in a LONG while. This machine is mostly offline, so I havn't been very good about it. I've been going through things now with a rootkit detector, and havn't found anything so far, so I think I shall keep digging. Anything else worth checking for that anyone can think of off the top of their head? Very odd...

So you normally keep any services open to the outside? SSH? FTP? HTTP? Anything?