# [SOLVED] PAM upgrage mess - locked myself out :-)

## Kobboi

My PAM upgrade is totally messed up. First there were the messages about the pam_stack module. But the install continued, so I didn't think it was a real problem. Then I got fed up with those messages and in a moment of weakness deleted everything with PAM in it and reinstalled PAM from scratch. 

When I try to log in through SSH, I get the error

```
Permission denied (publickey,keyboard-interactive).

```

What would be the best way to try and get access again? (Make no assumptions about previous PAM stuff)

The problem about the PAM upgrade is that I hardly know what PAM is and even less how it works. I know what I did was pretty foolish, but try to help me anyway  :Cool: Last edited by Kobboi on Sun Feb 24, 2008 8:26 pm; edited 1 time in total

----------

## Hu

The most reliable way to resolve this would be to boot a LiveCD, mount the hard disk, and repair the damage that way.  There may be easier ways, depending on your setup.  After you have a shell chroot'd to your hard disk, you can start the installed sshd and run ssh localhost to test if sshd is fixed.  If not, stop sshd, try something else to fix PAM, and repeat until it works.  If you need more help with how to fix PAM once you have root access, post back.

----------

## Kobboi

Yes, I want to solve this remotely, so using a LiveCD is my only option. I chroot into my system, but indeed, my real problem is I don't know what to fix, let alone how to do it.

----------

## sf_alpha

Safe and Sure way to fix this.

boot with livecd

mount every partition on your system to /mnt/gentoo (like when do installation). including /proc

chroot to it

remove all files in /etc/pam.d/

emerge -e world

and wait for all to done, etc-update as neccessary and reboot.

If you really want to do without reboot your system. You need to create new chroot environment from stage 3.

mkdir /mnt/gentoo

tar -xjvpf PATH_TO_STAGE3.tar.bz2 inside /mnt/gentoo

cp -a /etc/make.conf /mnt/gentoo/etc

cp -a /etc/portage/ /mnt/gentoo/etc/

# edit /mnt/gentoo/etc/make.conf, add buildpkg to FEATURES (FEATURES="buildpkg")

# Then chroot and emerge world from there

mount -o bind /usr/portage /mnt/gentoo/usr/portage

mount -o bind /proc /mnt/gentoo/proc

cp /var/lib/portage/world .

chroot /mnt/gentoo

env-update

. /etc/profile

emerge -eb world

# exit from chroot

exit

# stop all services as much as you can ... except boot services

# Including sshd (SAFE: your ssh session will not got disconnect)

# but do not stop networking  :Razz: 

# remove /etc/pam.d/*

rm -f /etc/pam.d/*

# emerge everything from the binary packages

emerge -k world

# etc-update ass neccessary

etc-update

# Restart **every** services

I not guarantee this to work. But at least, It work for me when upgrading from 2006.0.

----------

## Kobboi

 *sf_alpha wrote:*   

> 
> 
> remove all files in /etc/pam.d/
> 
> emerge -e world
> ...

 

This is more or less what I did when encountering the PAM issues: emerge --unmerge pam, remove all files in /etc/pam.d and emerge -1 pam. And after that, I could log in anymore  :Smile:  But I'll see what I can do, thanks for your response!

----------

## Kobboi

I did an "emerge -e pam openssh", but  keep getting the same error, even without a login attempt. Help   :Sad: 

----------

## sf_alpha

Actually, you cannot login when you does not have files in /etc/pam.d

emerge only pam is useless because pam does not provides all neccessary files inside /etc/pam.d and you need to make sure that all packages are linked against new pam library. That's why I suggest you to do emerge -e world after delete any files in /etc/pam.d

I am not sure your have same problems as mine, You should post your error messages.

----------

## Kobboi

The only error message I can get from a running screenless system is of course the one I mentioned in the opening post. After the re-emerge of pam and openssh, the files in the /etc/pam.d directory seem to be restored. I was kind of hoping that someone would be able to tell me which settings in which files are needed for remote SSH login to work/be allowed. Yes, sshd is started  :Cool: 

----------

## Kobboi

Solved. The problem was /etc/ssh/sshd_config had "UsePAM no". I changed it to "UsePAM yes" and I can log in again. I'm a bit disappointed that I still don't know what PAM is exactly and what it does, but I guess I'll learn eventually.

----------

## UberLord

PAM is a generic means of authenticating users, and applying limits to their processes.

So if you have your users in LDAP or a SQL server then you supply a PAM module configured for this. Application then just use PAM to authenticate so they don't directly have to know about LDAP or SQL.

----------

