# Authentication failure on tty after update

## moinmoin

Hello Everyone,

I am new here and not a native speaker, so please be patient... Although this is a relatively fresh install, I posted this here, because of the `security` issue

After some years with GNU/Linux - mostly Ubuntu - I now wanted to check out gentoo. Installed it via a stage3 tarball as mentioned in the handbook. Everything worked fine. Yesterday (sic), I did an update with

```
emerge --sync
```

and then

```
emerge -uDNav world
```

After this I was instructed that some config files needed updating. I searched in the doc and found the `dispatch-conf` tool from the gentoolkit bundle. I ran that and was prompted for thirty-odd config files. Since I did no real custom configuration on my system yet (apart from the ones mentioned in the handbook, e.g. make.conf, for gnome compatibility), I thought that all the suggested new config files would play along well. This is why I used the new versions for all of these config files.

Today I wanted to emerge gnome finally, but as mentioned in the title, I can not login as root or other user on the system. I always get `Authentication failure`.

I booted the liveCD and had a look at my dmesg output:

```
Authentication failure

pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root

FAILED LOGIN (1) on '/dev/tty1' FOR 'root', Authentication failure
```

This has to be related to some of the config files, I presume.

Any hints on this?

Thanks in advance

----------

## moinmoin

I think I tracked down the responsible config file, namely /etc/pam.d/system-auth

```
auth required pam_env.so

auth required pam_unix.so try_first_pass likeauth nullok

auth optional pam_permit.so

account required pam_unix.so

account optional pam_permit.so

password required pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

password required pam_unix.so try_first_pass use_authok nullok sha512 shadow

password optional pam_permit.so

session required pam_limits.so

session required pam_env.so

session required pam_unix.so

session optional pam_permit.s
```

So as I understand it, the problem lies with 

```
auth required pam_unix.so try_first_pass likeauth nullok
```

After consulting doc, I found none of the above options to pam_unix.so suspicious

I found no other debug option to get down to the problem...

Any hints?

----------

## anesed

Greetings, I understand that this is an old topic but I'm facing the exact same problem (updated, now can't login by any means), has anyone found a solution? this really upsets me when I think of how long it took me to install the system and the desktop environment...

----------

## John R. Graham

Fear not. You can boot up with any old install CD, mount your partitions, and chroot in to troubleshoot. Do you need specific instructions?

- John

----------

## anesed

Greetings, I followed the instructions on the Handbook in order to chroot into my Gentoo partition, tried passwd but it didn't work (password changed but the error persisted), so I took a look at the logs and this is what I found in the last 20 lines of /var/log/everything/current:

```
Dec 11 23:14:50 [login] Authentication failure

Dec 11 23:14:53 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=root

Dec 11 23:14:56 [login] FAILED LOGIN (1) on '/dev/tty2' FOR 'root', Authentication failure

Dec 11 23:15:01 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=myuser

Dec 11 23:15:03 [login] FAILED LOGIN (2) on '/dev/tty2' FOR 'myuser', Authentication failure

Dec 11 23:15:07 [login] pam_tally2(login:auth): pam_get_uid; no such user

Dec 11 23:15:18 [login] Authentication failure

                - Last output repeated twice -

Dec 11 23:15:30 [login] pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty2 ruser= rhost=  user=myuser

Dec 11 23:15:33 [login] FAILED LOGIN (1) on '/dev/tty2' FOR 'myuser', Authentication failure

Dec 11 23:15:40 [gdm] pam_unix(gdm:auth): authentication failure; logname= uid=0 euid=0 tty=:0 ruser= rhost=  user=myuser

Dec 11 23:15:43 [gdm] WARNING: Couldn't authenticate user_

Dec 11 23:15:52 [gdm] WARNING: Couldn't set acct. mgmt for myuserr_

                - Last output repeated twice -

Dec 11 23:16:17 [gdm] WARNING: Couldn't set acct. mgmt for root_

Dec 11 23:16:23 [shutdown] shutting down for system halt

Dec 11 23:16:24 [init] Switching to runlevel: 0

Dec 11 23:16:25 [dhcpcd] received SIGTERM, stopping

Dec 11 23:16:25 [dhcpcd] eth1: removing interface

Dec 11 23:16:25 [dhcpcd] eth1: eth1: MTU restored to 1500
```

I changed the name of my user to "myuser", I also tried inputting incorrect usernames and passwords and obtained the usual errors so, according to this log, the error seems to be caused by pam, any clues on how to fix this? this is likely a config error, but the config file doesn't seem suspicious.

Cheers.

----------

## Hu

Please post the output of emerge --info sys-libs/pam ; cat -n /etc/pam.d/{login,system-local-login,system-login,system-auth}.

----------

## anesed

 *Hu wrote:*   

> Please post the output of emerge --info sys-libs/pam ; cat -n /etc/pam.d/{login,system-local-login,system-login,system-auth}.

 

      This is the output I got:

```
Portage 2.1.10.11 (default/linux/x86/10.0/desktop/gnome, gcc-4.5.3, glibc-2.12.2-r0, 2.6.38-11-generic i686)

=================================================================

                        System Settings

=================================================================

System uname: Linux-2.6.38-11-generic-i686-Intel-R-_Pentium-R-_Dual_CPU_T3400_@_2.16GHz-with-gentoo-2.0.3

Timestamp of tree: Tue, 08 Nov 2011 13:15:01 +0000

app-shells/bash:          4.1_p9

dev-lang/python:          2.7.2-r3, 3.1.4-r3

dev-util/cmake:           2.8.4-r1

dev-util/pkgconfig:       0.26

sys-apps/baselayout:      2.0.3

sys-apps/openrc:          0.8.3-r1

sys-apps/sandbox:         2.4

sys-devel/autoconf:       2.13, 2.68

sys-devel/automake:       1.11.1

sys-devel/binutils:       2.20.1-r1

sys-devel/gcc:            4.5.3-r1

sys-devel/gcc-config:     1.4.1-r1

sys-devel/libtool:        2.4-r1

sys-devel/make:           3.82-r1

sys-kernel/linux-headers: 2.6.39 (virtual/os-headers)

sys-libs/glibc:           2.12.2

Repositories: gentoo

ACCEPT_KEYWORDS="x86"

ACCEPT_LICENSE="* -@EULA"

CBUILD="i686-pc-linux-gnu"

CFLAGS="-O2 -march=i686 -pipe"

CHOST="i686-pc-linux-gnu"

CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-O2 -march=i686 -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://gentoo.localhost.net.ar/ ftp://mirrors.tera-byte.com/pub/gentoo http://gentoo.mirrors.tera-byte.com/ http://ftp.ucsb.edu/pub/mirrors/linux/gentoo/"

LANG="es_VE.UTF-8"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

MAKEOPTS="-j2"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

PORTDIR_OVERLAY=""

SYNC="rsync://rsync.us.gentoo.org/gentoo-portage"

USE="X a52 aac acl acpi alsa berkdb bluetooth branding bzip2 cairo cdda cdr cli colord consolekit cracklib crypt cups cxx dbus dri dts dvd dvdr eds emboss encode evo exif fam firefox flac fortran gdbm gdu gif gnome gnome-keyring gpm gstreamer gtk iconv ipv6 jpeg lcms ldap libnotify mad mng modules mp3 mp4 mpeg mudflap nautilus ncurses nls nptl nptlonly ogg opengl openmp pam pango pcre pdf png policykit ppds pppd qt3support readline sdl session spell ssl startup-notification svg sysfs tcpd tiff truetype udev unicode usb vorbis x264 x86 xcb xml xorg xulrunner xv xvid zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1 emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LC_ALL, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

=================================================================

                        Package Settings

=================================================================

sys-libs/pam-1.1.5 was built with the following:

USE="berkdb cracklib nls -audit -debug -nis (-selinux) -test -vim-syntax"

     1  auth       required     pam_securetty.so

     2  auth       include      system-local-login

     3

     4  account    include      system-local-login

     5  password   include      system-local-login

     6  session    include      system-local-login

     7  auth            include         system-login

     8  account         include         system-login

     9  password        include         system-login

    10  session         include         system-login

    11  auth            required        pam_tally2.so onerr=succeed

    12  auth            required        pam_shells.so 

    13  auth            required        pam_nologin.so 

    14  auth            include         system-auth

    15  auth            required        pam_env.so 

    16  auth            required        pam_unix.so try_first_pass likeauth nullok 

    17  auth            optional        pam_permit.so

    18   

    19  account         required        pam_unix.so 

    20  account         optional        pam_permit.so

    21   

    22  password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3 

    23  password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow 

    24  password        optional        pam_permit.so

    25   

    26  session         required        pam_limits.so 

    27  session         required        pam_env.so 

    28  session         required        pam_unix.so 

    29  session         optional        pam_permit.so

```

     By the way, does the "berkdb" USE flag refer to PostgreSQL? because I think I have not installed it yet... anyways, I'll be expecting your comments eagerly, thank you very much in advance.

Cheers.

----------

## Hu

It looks like your /etc/pam.d/system-login is empty.  For me, it is:

```
auth      required   pam_tally2.so onerr=succeed

auth      required   pam_shells.so 

auth      required   pam_nologin.so 

auth      include      system-auth

             

account      required   pam_access.so 

account      required   pam_nologin.so 

account      include      system-auth

account      required   pam_tally2.so onerr=succeed 

 

password   include      system-auth

 

session         optional        pam_loginuid.so

session      required   pam_env.so 

session      optional   pam_lastlog.so 

session      include      system-auth

session      optional   pam_motd.so motd=/etc/motd

session      optional   pam_mail.so
```

----------

## anesed

 *Hu wrote:*   

> It looks like your /etc/pam.d/system-login is empty.  For me, it is:
> 
> ```
> auth      required   pam_tally2.so onerr=succeed
> 
> ...

 

Thank you very much, Hu, this seemed to be precisely my problem, I just copied the old system-login that dispatch-conf wrote as a backup to my /etc/pam.d directory and voilá!, I could login once again.

Cheers.

----------

## Martin Cmelik

Hi,

Im facing this problem for last month with every new installation. Im installing gentoo from stage3 (hardened) and if I turn on debug mode for pam (touch /etc/pam_debug) I see difference when I put wrong password or correct one.

When password is wrong it says something like:

pam_unix(login:auth): authentication failure

and next line is: login: FAILED LOGIN

But when I put correct one I see in debug only FAILED LOGIN without previous reason why.

My /etc/pam.d/system-login is same as mentioned by Hu.

If you have some other hint please let me know.

Thank you!

----------

## Hu

Martin: please post the output of emerge --info sys-libs/pam; for a in /etc/pam.d/{login,system-local-login,system-login,system-auth}; do echo "$a"; cat -n "$a"; done.  This is a variation of the command I requested above.  The variant should produce more readable output.

----------

## Martin Cmelik

 *Hu wrote:*   

> Martin: please post the output of emerge --info sys-libs/pam; for a in /etc/pam.d/{login,system-local-login,system-login,system-auth}; do echo "$a"; cat -n "$a"; done.  This is a variation of the command I requested above.  The variant should produce more readable output.

 

Hi,

here you have it:

```
/etc/pam.d/login

     1  auth       required     pam_securetty.so

     2  auth       include      system-local-login

     3

     4  account    include      system-local-login

     5  password   include      system-local-login

     6  session    include      system-local-login

/etc/pam.d/system-local-login

     1  auth            include         system-login

     2  account         include         system-login

     3  password        include         system-login

     4  session         include         system-login

/etc/pam.d/system-login

     1  auth            required        pam_tally2.so onerr=succeed

     2  auth            required        pam_shells.so

     3  auth            required        pam_nologin.so

     4  auth            include         system-auth

     5

     6  account         required        pam_access.so

     7  account         required        pam_nologin.so

     8  account         include         system-auth

     9  account         required        pam_tally2.so onerr=succeed

    10

    11  password        include         system-auth

    12

    13  session         optional        pam_loginuid.so

    14  session         required        pam_env.so

    15  session         optional        pam_lastlog.so

    16  session         include         system-auth

    17  session         optional        pam_motd.so motd=/etc/motd

    18  session         optional        pam_mail.so

    19

/etc/pam.d/system-auth

     1  auth            required        pam_env.so

     2  auth            required        pam_unix.so try_first_pass likeauth nullok

     3  auth            optional        pam_permit.so

     4

     5  account         required        pam_unix.so

     6  account         optional        pam_permit.so

     7

     8  password        required        pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3

     9  password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow

    10  password        optional        pam_permit.so

    11

    12  session         required        pam_limits.so

    13  session         required        pam_env.so

    14  session         required        pam_unix.so

    15  session         optional        pam_permit.so

```

Im now in chroot so Im not sure if 

```
emerge --info
```

 is needed because it will be related to LiveCD.

----------

## Hu

Those pam values look similar to my working configuration.  Please provide the requested emerge --info after entering the chroot.  Most of the information it prints is derived from the active filesystem, so it is relevant even when you use a LiveCD.

----------

## Martin Cmelik

 *Hu wrote:*   

> Those pam values look similar to my working configuration.  Please provide the requested emerge --info after entering the chroot.  Most of the information it prints is derived from the active filesystem, so it is relevant even when you use a LiveCD.

 

Here it is:

```
Portage 2.1.9.42 (hardened/linux/amd64, gcc-4.4.5, libc-0-r0, 3.0.6-gentoo x86_64)

=================================================================

System uname: Linux-3.0.6-gentoo-x86_64-with-gentoo-2.0.3

Timestamp of tree: Wed, 21 Dec 2011 00:45:01 +0000

ccache version 3.1.6 [enabled]

app-shells/bash:     4.1_p9

dev-lang/python:     2.7.1-r1, 3.1.3-r1

dev-util/ccache:     3.1.6

dev-util/pkgconfig:  0.26

sys-apps/baselayout: 2.0.3

sys-apps/openrc:     0.8.3

sys-apps/sandbox:    2.4

sys-devel/autoconf:  2.65-r1

sys-devel/automake:  1.11.1

sys-devel/binutils:  2.21.1-r1

sys-devel/gcc:       4.4.5, 4.5.3-r1

sys-devel/gcc-config: 1.4.1-r1

sys-devel/libtool:   2.2.10

sys-devel/make:      3.82

sys-kernel/linux-headers: 2.6.36.1

sys-libs/glibc:      2.12.2

virtual/os-headers:  0

ACCEPT_KEYWORDS="amd64"

ACCEPT_LICENSE="* -@EULA"

CBUILD="x86_64-pc-linux-gnu"

CFLAGS="-march=native -O2 -fforce-addr -pipe"

CHOST="x86_64-pc-linux-gnu"

CONFIG_PROTECT="/etc /etc/bash/bashrc /etc/conf.d/hostname /etc/issue /etc/profile /etc/ssh/sshd_config /usr/share/gnupg/qualified.txt"

CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo"

CXXFLAGS="-march=native -O2 -fforce-addr -pipe"

DISTDIR="/usr/portage/distfiles"

FEATURES="assume-digests binpkg-logs buildpkg ccache distlocks fixlafiles fixpackages news parallel-fetch protect-owned sandbox sfperms strict unknown-features-warn unmerge-logs unmerge-orphans userfetch"

FFLAGS=""

GENTOO_MIRRORS="http://ftp.fi.muni.cz/pub/linux/gentoo/"

LDFLAGS="-Wl,-O1 -Wl,--as-needed"

LINGUAS="en"

MAKEOPTS="-j3"

PKGDIR="/usr/portage/packages"

PORTAGE_CONFIGROOT="/"

PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages"

PORTAGE_TMPDIR="/var/tmp"

PORTDIR="/usr/portage"

SYNC="rsync://rsync.gentoo.org/gentoo-portage"

USE="acl amd64 bash-completion bashlogger berkdb bzip2 chroot cli cracklib crypt cups cxx dri gdbm gnutls gpm hardened iconv jpeg justify ldap mmx modules mudflap multilib ncurses nls nptl nptlonly openmp pam pax_kernel pcre perl pic png pppd python readline secure-delete session snmp sse sse2 ssl symlink sysfs tcpd unicode urandom vim-syntax xml xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache cgi cgid dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" LINGUAS="en" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="fbdev glint intel mach64 mga neomagic nouveau nv r128 radeon savage sis tdfx trident vesa via vmware dummy v4l" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account"

Unset:  CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, PORTAGE_BUNZIP2_COMMAND, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY

```

----------

