# Broken after upgrading to sys-libs/pam-0.99.10.0

## candrews

When sys-libs/pam-0.99.10.0 hit ~amd64, my system upgraded. Ever since, mod_authn_pam for apache and jabberd2 won't authenticate anyone against pam. I get errors like

```
user candrews: authentication failure for "/xyz": Password Mismatch
```

in my apache log, and in /var/log/messages, I get errors like

```
Mar 27 20:50:37 irrational c2s: pam_unix(jabberd:auth): authentication failure; logname= uid=126 euid=126 tty= ruser= rhost=  user=candrews
```

I also use courier-imap authenticating against pam on this system, and it works fine. I'm sure a bunch of people will be affected with other packages when this goes stable... so could someone help figure this out with me?

I filed a bug at https://bugs.gentoo.org/show_bug.cgi?id=213763 too.

----------

## jand99

 *candrews wrote:*   

> When sys-libs/pam-0.99.10.0 hit ~amd64, my system upgraded. Ever since, mod_authn_pam for apache and jabberd2 won't authenticate anyone against pam. I get errors like
> 
> ```
> user candrews: authentication failure for "/xyz": Password Mismatch
> ```
> ...

 

Confirmed: Gentoo PAM is broken now (2.6.22-gentoo-r6 #1  libpam.so.0.81.10).

Try this PAM check_user program after making /etc/shadow readable for the user it executes (make it -r afterwards).

The strange thing is that with Gentoo, only root or the user itself is allowed to check the password of a user.

With ubuntu, any user can run this program to check a (other) user's password (again with proper permission on /etc/shadow).

No idea if it's in libpam or somewhere else...

It would be nice if someone could verify my statement that it's Gentoo and not our sysadmin that is to blame.

http://pecl.php.net/package/PAM php pecl-pam is now broken too.

```

/*

  check_user.c  -  This program original from:  Shane Watts [modifications by AGM] [mod JD]

 *

 * compile with gcc check_user.c -lpam -lpam_misc

  pre: You need to have proper config in /etc/pam.d/login

 */

#include <security/pam_appl.h>

#include <security/pam_misc.h>

#include <stdio.h>

static struct pam_conv conv = {

    misc_conv,

    NULL

};

int main(int argc, char *argv[])

{

    pam_handle_t *pamh=NULL;

    int retval;

    const char *user="root";

    if(argc != 2) {

        fprintf(stderr, "Usage: check_user [username]\n");

        exit(1);

    }

    user = argv[1];

    retval = pam_start("login", user, &conv, &pamh);

    if (retval == PAM_SUCCESS)

        retval = pam_authenticate(pamh, 0);    /* is user really user? */

    if (retval == PAM_SUCCESS)

        retval = pam_acct_mgmt(pamh, 0);       /* permitted access? */

    /* This is where we have been authorized or not. */

    if (retval == PAM_SUCCESS) {

        fprintf(stdout, "Authenticated\n");

        fprintf(stdout, "pam: %s\n", pam_strerror(pamh, retval));

    } else {

        fprintf(stdout, "Not Authenticated\n");

        fprintf(stdout, "pam: %s\n", pam_strerror(pamh, retval));

    }

    if (pam_end(pamh,retval) != PAM_SUCCESS) {     /* close Linux-PAM */

        pamh = NULL;

        fprintf(stderr, "check_user: failed to release authenticator\n");

        exit(1);

    }

    return ( retval == PAM_SUCCESS ? 0:1 );       /* indicate success */

}

```

----------

## candrews

I just compiled tried to use your check_user program. When I run it as root, it works. When I run it as someone who has permissions to read the /etc/shadow file (and I explicitly checked by cat'ing the file as that user before I ran check_user), check_user always reports authentication failure. It seems that PAM is really broken.

What do we do now?

----------

## jand99

 *candrews wrote:*   

> I just compiled tried to use your check_user program. When I run it as root, it works. When I run it as someone who has permissions to read the /etc/shadow file (and I explicitly checked by cat'ing the file as that user before I ran check_user), check_user always reports authentication failure. It seems that PAM is really broken.
> 
> What do we do now?

 

The workaround is running pam stuff as root for now. Or switch to another distro.

Pam is not broken. The Gentoo version of Pam is broken. I have no idea how new Gentoo releases are created and tested.

Maybe you can add the bug again in bugzilla because https://bugs.gentoo.org/show_bug.cgi?id=213763 has the 'SOLVED' status and i don't think this one is solved.

----------

## candrews

This one actually is solved - Diego bumped to PAM 1.0, and that solved this problem.

----------

## zaanpenguin

The problem is still not solved:

```
user@somehost ~ $ passwd

Changing password for user.

(current) UNIX password: 

New UNIX password: 

Retype new UNIX password: 

passwd: Authentication failure

user@somehost ~ $
```

Hello jand  :Wink: 

----------

## blue_american

Hi,

I'm having problems with this too.

I try to login with root and the system don't ask for the password and throws immediately "Login incorrect"

Does anyone knows how to solve this, or stable versions of PAM, or whatever is causing this?

Thanks in advance,

Rui

----------

## zaanpenguin

pam-1.0.0-r1 solves the user trying to change his/her password problem.

----------

## blue_american

EDIT:

Solved emerging pambase

---

I'm currently with that one :/

I'm bumped to this when I was trying to install the cups package. It tried to create a group resulting in an auth failure...

More ideias?

----------

