On Monday 04 May 2009 06:04:16 Valmor de Almeida wrote: > Alan McKinnon wrote: > > On Sunday 03 May 2009 04:53:41 Mike Kazantsev wrote: > >> On Sat, 02 May 2009 20:52:39 -0400 > >> > >> I don't know about motd, but the rest looks like pam problem to me, if > >> you're using pam, of course. Try 'euse -i pam' to see if it's enabled. > >> > >> If that's the case, first of all I'd suggest to check etc-update. > >> Then look through /etc/pam.d, especially system-* files. There you can > >> remove some of the required (for successfull authentication) modules, > >> so their failure won't affect the process. > > > > And read the elogs. There's been some pam updates come through on my > > machines the last few weeks/months. > > I re-emerged pam and following this message: > > -------------- > LOG: postinst > Starting from version 20080801, pambase optionally enables > SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1 > built against sys-libs/glibc-2.7 or later.
I imagine this constraint is satisfied on your machines, otherwise that pam would not have been emerged due to blockers in the ebuild [snip] > since I find this in /etc/pam.d/system-auth > > ------------ > password required pam_unix.so try_first_pass use_authtok > nullok sha512 shadow > -------------- > > After these changes (do I need to reboot? I am doing this remotely so I > will have to wait till I can sit on the console) still can't login or su > to 3 of the accounts. Also created a new account and no luck login to to > it nor using su. Apparently newly created accounts definitely are > affected. Older accounts still work (???) You don't need to reboot - pam config is dynamic. Here's a quick go/no-go experiment to see if it's the new hashes that are doing it. Find an account that can sudo to root on the affected machines and examine the shadow file. See what kind of hashes the affected accounts are using. md5 is 34 characters long and sha512 is 98 in this format: $x$<salt>$<hash> x is 1 for md5 and 6 for sha512. <salt> is 8 characters for both If the affected account is sha512, run openssl passwd -1 to generate an md5 hash, and copy paste it back into field 2 of your account in shadow. You might want to comment out a copy of the original line just in case. See if sudo now works. If so, hashes are the problem. If not, we should look further, especially at the pam config for sudo. Here's mine which works: auth include system-auth account include system-auth password include system-auth session include system-auth And you did confirm that sudo checks for wheel group membership, and that you are still in this group? -- alan dot mckinnon at gmail dot com
