PAM: /etc/shadow Corruption?: Cannot Login after Recent Manjaro Update

After I updated to the latest Manjaro release yesterday, I found I was unable to login to my system anymore. Trying to login into root via the terminal or even trying to unlock my account via the KDE Unlocker fails with the message “Login Failed”.

I’ve followed the instructions for merging all of the appropriate .pacnew files from the application pacdiff. I remember merging /etc/shadow, the files in /etc/pam.d/, and some other files that I forgot the names to. I do not have any logs of the final transaction, preventing me from giving more exact details of this problem.

After I did that, while my system was able to boot correctly, anything like activating a screen saver or attempting to login via console essentially locked me out from using the computer, forcing me to restart the system in order to get back to a point where it is usable again. Here is a sample from dmesg when I try to unlock my session with KDE:

[     2126.301712] audit: type=1100 audit(1599267025.148:193): pid=4372 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_permit,pam_faillock acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2126.301845] audit: type=1101 audit(1599267025.148:194): pid=4372 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:accounting grantors=pam_permit,pam_time acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2126.302100] audit: type=1110 audit(1599267025.148:195): pid=4372 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2126.304339] audit: type=1105 audit(1599267025.148:196): pid=4372 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2126.306912] audit: type=1106 audit(1599267025.152:197): pid=4372 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2126.306964] audit: type=1104 audit(1599267025.152:198): pid=4372 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2131.150624] audit: type=1101 audit(1599267029.995:199): pid=4425 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:accounting grantors=pam_permit,pam_time acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2131.150948] audit: type=1110 audit(1599267029.995:200): pid=4425 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_permit,pam_env,pam_faillock acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2131.154654] audit: type=1105 audit(1599267030.002:201): pid=4425 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:session_open grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2131.156334] audit: type=1106 audit(1599267030.002:202): pid=4425 uid=0 auid=1000 ses=4 subj==unconfined msg='op=PAM:session_close grantors=pam_limits,pam_unix,pam_permit acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
    [ 2201.915946] kauditd_printk_skb: 1 callbacks suppressed
    [ 2201.915949] audit: type=1100 audit(1599267100.762:204): pid=4939 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=SeleniumRig addr=? terminal=pts/1 res=failed'
    [ 2211.339808] audit: type=1100 audit(1599267110.185:205): pid=4996 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/su" hostname=SeleniumRig addr=? terminal=pts/1 res=failed'
    [ 2847.620847] snd_hda_intel 0000:00:1b.0: IRQ timing workaround is activated for card #0. Suggest a bigger bdl_pos_adj.
    [ 6479.343442] audit: type=1100 audit(1599271378.188:206): pid=8568 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 7816.121336] audit: type=1100 audit(1599272714.968:207): pid=8920 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 7830.327213] audit: type=1100 audit(1599272729.175:208): pid=8959 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 8052.433001] audit: type=1100 audit(1599272951.279:209): pid=9694 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 8058.718141] audit: type=1100 audit(1599272957.565:210): pid=9704 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 8188.604365] audit: type=2112 audit(1599273087.452:211): pid=9728 uid=0 auid=0 ses=1 subj==unconfined msg='op=PAM:unix_chkpwd acct="root" exe="/usr/bin/unix_chkpwd" hostname=SeleniumRig addr=? terminal=tty2 res=failed'
    [ 8296.054184] audit: type=1100 audit(1599273194.902:212): pid=9773 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:unix_chkpwd acct="go-rs" exe="/usr/bin/unix_chkpwd" hostname=? addr=? terminal=? res=failed'
    [ 8476.251937] audit: type=1100 audit(1599273375.099:213): pid=11121 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=? acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
    [ 8486.594860] audit: type=1100 audit(1599273385.442:214): pid=11121 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=? acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
    [ 8491.362632] audit: type=1100 audit(1599273390.209:215): pid=11121 uid=1000 auid=1000 ses=4 subj==unconfined msg='op=PAM:authentication grantors=? acct="go-rs" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'

One user on the Arch Bug Tracker suggested to change the value for user_radenv from 1 to 0. This sadly was unable to help me solve my issue. Even changing /etc/pam.d/system-auth to the defaults in the package did not help me solve my issue. Removing the lines referencing SystemD home also did not work. I did, however, manage to find a very insecure workaround to at least keep my system running.

Usually, PAM would deny entries where the password is wrong, as shown below:
auth [default=die] pam_faillock.so authfail

Changing the value from die to ignore allows me to at least use the system:
auth [default=ignore] pam_faillock.so authfail

However, this allows anyone to login to my system even if they didn’t have the right password. This includes getting into the root account via sudo. You can even login to the root account using a tty prompt if you wanted. Using su instead of sudo will not let you login, however.

Currently, my /etc/shadow file only has an appropriate entry for root. I was expecting to see my username in there but I do not when I cat for the entries.

All help is appreciated!

/etc/shadow is is here the problem, we don’t have to use all pacnews
now your manjaro not have passwords
.pacnew are only a “factory” setting made by developers : dev ignore your passwords in /etc/shadow file

same, no change /etc/passwd it’s user list (user and services)

same issue