Re: [gentoo-user] unable to login to user account or do su - username
On Monday 04 May 2009 06:04:16 Valmor de Almeida wrote: Alan McKinnon wrote: On Sunday 03 May 2009 04:53:41 Mike Kazantsev wrote: On Sat, 02 May 2009 20:52:39 -0400 I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. And read the elogs. There's been some pam updates come through on my machines the last few weeks/months. I re-emerged pam and following this message: -- LOG: postinst Starting from version 20080801, pambase optionally enables SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1 built against sys-libs/glibc-2.7 or later. I imagine this constraint is satisfied on your machines, otherwise that pam would not have been emerged due to blockers in the ebuild [snip] since I find this in /etc/pam.d/system-auth passwordrequiredpam_unix.so try_first_pass use_authtok nullok sha512 shadow -- After these changes (do I need to reboot? I am doing this remotely so I will have to wait till I can sit on the console) still can't login or su to 3 of the accounts. Also created a new account and no luck login to to it nor using su. Apparently newly created accounts definitely are affected. Older accounts still work (???) You don't need to reboot - pam config is dynamic. Here's a quick go/no-go experiment to see if it's the new hashes that are doing it. Find an account that can sudo to root on the affected machines and examine the shadow file. See what kind of hashes the affected accounts are using. md5 is 34 characters long and sha512 is 98 in this format: $x$salt$hash x is 1 for md5 and 6 for sha512. salt is 8 characters for both If the affected account is sha512, run openssl passwd -1 to generate an md5 hash, and copy paste it back into field 2 of your account in shadow. You might want to comment out a copy of the original line just in case. See if sudo now works. If so, hashes are the problem. If not, we should look further, especially at the pam config for sudo. Here's mine which works: authinclude system-auth account include system-auth passwordinclude system-auth session include system-auth And you did confirm that sudo checks for wheel group membership, and that you are still in this group? -- alan dot mckinnon at gmail dot com
[SOLVED] Re: [gentoo-user] unable to login to user account or do su - username
Alan McKinnon wrote: experiment to see if it's the new hashes that are doing it. Find an account that can sudo to root on the affected machines and examine the shadow file. See what kind of hashes the affected accounts are using. md5 is 34 characters long and sha512 is 98 in this format: $x$salt$hash x is 1 for md5 and 6 for sha512. salt is 8 characters for both Thanks for spending time with this. After looking at the shadow file, I have accounts with both md5 and sha512. In particular affected accounts that have md5 and sha512. I looked closely at the .bashrc (used echo made to here marks to follow the login sequence) of the bad accounts and they were all sourcing a script from a third-party package that went bad after the OS update. Luckily this was not in all accounts and specially not in the root account. Otherwise I would have been locked outside the machine. After getting rid of that line in the users .bashrc all returned to normal. One more thing to do was to uncomment the line PrintMotd no PrintLastLog no in /etc/sshd_config to avoid the double motd/last log messages upon login.I guess after the portage update, pam is now printing that. Here's mine which works: authinclude system-auth account include system-auth passwordinclude system-auth session include system-auth And you did confirm that sudo checks for wheel group membership, and that you are still in this group? This is exactly like mine. Thanks for all the help. -- Valmor
Re: [gentoo-user] unable to login to user account or do su - username
Valmor de Almeida schrieb: Hello, After a system/world update my user account dealmeida cannot be logged to or root cannot su to it. When su - dealmeida is issued at the root command prompt, it immediately returns to root. When login is at the console the motd appears (twice; why?) and then the session is closed. In the /var/log/messages I get May 2 20:42:35 xeon0 su[29286]: Successful su for dealmeida by root May 2 20:42:35 xeon0 su[29286]: + pts/1 root:dealmeida May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session opened for user dealmeida by root(uid=0) May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session closed for user dealmeida No other account has this problem. Any ideas? Thanks, -- Valmor A low hanging fruit: Maybe the user wrote 'exit' or 'exec' into her .bashrc By the way: Which shell is defined in /etc/passwd? signature.asc Description: OpenPGP digital signature
Re: [gentoo-user] unable to login to user account or do su - username
On Sunday 03 May 2009 04:53:41 Mike Kazantsev wrote: On Sat, 02 May 2009 20:52:39 -0400 I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. And read the elogs. There's been some pam updates come through on my machines the last few weeks/months. -- alan dot mckinnon at gmail dot com
Re: [gentoo-user] unable to login to user account or do su - username
Florian Philipp wrote: A low hanging fruit: Maybe the user wrote 'exit' or 'exec' into her .bashrc By the way: Which shell is defined in /etc/passwd? .bashrc is fine. The shell is /bin/bash Thanks, -- Valmor
Re: [gentoo-user] unable to login to user account or do su - username
Mike Kazantsev wrote: I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. Yeah. It is my feeling too that pam may be a problem. I've been comparing the system files against my other gentoo machine and they are just the same. However the fact that motd appears twice even when I login as root continues to puzzle me. I've checked all user accounts and only 3 out of 37 accounts have the login/su problem. I will create some new accounts and see what happens. Thanks, -- Valmor
Re: [gentoo-user] unable to login to user account or do su - username
Alan McKinnon wrote: On Sunday 03 May 2009 04:53:41 Mike Kazantsev wrote: On Sat, 02 May 2009 20:52:39 -0400 I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. And read the elogs. There's been some pam updates come through on my machines the last few weeks/months. I re-emerged pam and following this message: -- LOG: postinst Starting from version 20080801, pambase optionally enables SHA512-hashed passwords. For this to work, you need sys-libs/pam-1.0.1 built against sys-libs/glibc-2.7 or later. If you don't have support for this, it will automatically fallback to MD5-hashed passwords, just like before. Please note that the change only affects the newly-changed passwords and that SHA512-hashed passwords will not work on earlier versions of glibc or Linux-PAM. -- I edited /etc/login.defs # This variable is deprecated. You should use ENCRYPT_METHOD. # #MD5_CRYPT_ENAB yes # Note: If you use PAM, it is recommended to use a value consistent with # the PAM modules configuration. # #ENCRYPT_METHOD DES ENCRYPT_METHOD SHA512 --- since I find this in /etc/pam.d/system-auth passwordrequiredpam_unix.so try_first_pass use_authtok nullok sha512 shadow -- After these changes (do I need to reboot? I am doing this remotely so I will have to wait till I can sit on the console) still can't login or su to 3 of the accounts. Also created a new account and no luck login to to it nor using su. Apparently newly created accounts definitely are affected. Older accounts still work (???) I have used a debug option on the pam modules but didn't manage to get additional info in the /var/log/message file. Thanks for any suggestions. -- Valmor
Re: [gentoo-user] unable to login to user account or do su - username
On Sat, May 2, 2009 at 7:52 PM, Valmor de Almeida val.gen...@gmail.com wrote: Hello, After a system/world update my user account dealmeida cannot be logged to or root cannot su to it. When su - dealmeida is issued at the root command prompt, it immediately returns to root. When login is at the console the motd appears (twice; why?) and then the session is closed. In the /var/log/messages I get May 2 20:42:35 xeon0 su[29286]: Successful su for dealmeida by root May 2 20:42:35 xeon0 su[29286]: + pts/1 root:dealmeida May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session opened for user dealmeida by root(uid=0) May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session closed for user dealmeida No other account has this problem. Any ideas? Thanks, Is the user's shell set properly?
Re: [gentoo-user] unable to login to user account or do su - username
Paul Hartman wrote: On Sat, May 2, 2009 at 7:52 PM, Valmor de Almeida val.gen...@gmail.com wrote: Hello, After a system/world update my user account dealmeida cannot be logged to or root cannot su to it. When su - dealmeida is issued at the root command prompt, it immediately returns to root. When login is at the console the motd appears (twice; why?) and then the session is closed. In the /var/log/messages I get May 2 20:42:35 xeon0 su[29286]: Successful su for dealmeida by root May 2 20:42:35 xeon0 su[29286]: + pts/1 root:dealmeida May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session opened for user dealmeida by root(uid=0) May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session closed for user dealmeida No other account has this problem. Any ideas? Thanks, Is the user's shell set properly? I made no changes in the account and looked over the . startup files; they look okay. Also, the output of password -S dealmeida are fine. Still puzzled why motd appears twice even at root login. Thanks -- Valmor
Re: [gentoo-user] unable to login to user account or do su - username
On Sat, 02 May 2009 20:52:39 -0400 Valmor de Almeida val.gen...@gmail.com wrote: After a system/world update my user account dealmeida cannot be logged to or root cannot su to it. When su - dealmeida is issued at the root command prompt, it immediately returns to root. When login is at the console the motd appears (twice; why?) and then the session is closed. In the /var/log/messages I get May 2 20:42:35 xeon0 su[29286]: Successful su for dealmeida by root May 2 20:42:35 xeon0 su[29286]: + pts/1 root:dealmeida May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session opened for user dealmeida by root(uid=0) May 2 20:42:35 xeon0 su[29286]: pam_unix(su:session): session closed for user dealmeida No other account has this problem. Any ideas? I don't know about motd, but the rest looks like pam problem to me, if you're using pam, of course. Try 'euse -i pam' to see if it's enabled. If that's the case, first of all I'd suggest to check etc-update. Then look through /etc/pam.d, especially system-* files. There you can remove some of the required (for successfull authentication) modules, so their failure won't affect the process. -- Mike Kazantsev // fraggod.net signature.asc Description: PGP signature
