Password not working anymore, PW not changed

Hello dear Manjaro forum members,

on my brothers machine I’ve installed and configured boinc-nox today and ran the most recent updates. I didn’t reboot after the update and suddenly, during the running SSH session the password stopped working. Since then the machine got rebooted (autologin) and the PW still doesn’t work. The PW is not accepted via SSH and not via the keyboard attached. I’m at a loss here…

The machine is usable as a living room PC, but without the PW working this might get complicated.

inxi --full --verbosity=7 --filter --no-host
System:    Kernel: 5.7.17-2-MANJARO x86_64 bits: 64 compiler: gcc v: 10.2.0 Console: tty 1 DM: LightDM 1.30.0
           Distro: Manjaro Linux
Machine:   Type: Desktop Mobo: ASRock model: A300M-STX serial: <filter> UEFI: American Megatrends v: P3.60
           date: 10/28/2019
Memory:    RAM: total: 5.80 GiB used: 655.0 MiB (11.0%)
           RAM Report: permissions: Unable to run dmidecode. Root privileges required.
CPU:       Topology: Quad Core model: AMD Ryzen 3 3200G with Radeon Vega Graphics bits: 64 type: MCP arch: Zen+
           rev: 1 L2 cache: 2048 KiB bogomips: 28812
           Speed: 1262 MHz min/max: 1400/3600 MHz boost: enabled Core speeds (MHz): 1: 1260 2: 1266 3: 1260 4: 1260
           Flags: 3dnowprefetch abm adx aes aperfmperf apic arat avic avx avx2 bmi1 bmi2 bpext clflush clflushopt
           clzero cmov cmp_legacy constant_tsc cpb cpuid cr8_legacy cx16 cx8 de decodeassists extapic extd_apicid
           f16c flushbyasid fma fpu fsgsbase fxsr fxsr_opt ht hw_pstate ibpb irperf lahf_lm lbrv lm mca mce
           misalignsse mmx mmxext monitor movbe msr mtrr mwaitx nonstop_tsc nopl npt nrip_save nx osvw
           overflow_recov pae pat pausefilter pclmulqdq pdpe1gb perfctr_core perfctr_llc perfctr_nb pfthreshold pge
           pni popcnt pse pse36 rdrand rdseed rdtscp rep_good sep sev sha_ni skinit smap smca sme smep ssbd sse
           sse2 sse4_1 sse4_2 sse4a ssse3 succor svm svm_lock syscall tce topoext tsc tsc_scale v_vmsave_vmload
           vgif vmcb_clean vme vmmcall wdt xgetbv1 xsave xsavec xsaveerptr xsaveopt xsaves
Graphics:  Device-1: Advanced Micro Devices [AMD/ATI] Picasso driver: amdgpu v: kernel bus ID: 03:00.0
           chip ID: 1002:15d8
           Display: server: X.org 1.20.8 driver: amdgpu,ati unloaded: modesetting alternate: fbdev,vesa tty: 119x39
           Message: Advanced graphics data unavailable in console. Try -G --display
Audio:     Device-1: Advanced Micro Devices [AMD/ATI] Raven/Raven2/Fenghuang HDMI/DP Audio driver: snd_hda_intel
           v: kernel bus ID: 03:00.1 chip ID: 1002:15de
           Device-2: Advanced Micro Devices [AMD] Family 17h HD Audio vendor: ASRock driver: snd_hda_intel
           v: kernel bus ID: 03:00.6 chip ID: 1022:15e3
           Device-3: Creative SB X-Fi Surround 5.1 Pro type: USB driver: snd-usb-audio bus ID: 1-2:2
           chip ID: 041e:30df serial: <filter>
           Device-4: Corsair CORSAIR HS70 Pro Wireless Gaming Headset type: USB
           driver: hid-generic,snd-usb-audio,usbhid bus ID: 3-1:2 chip ID: 1b1c:0a4f
           Sound Server: ALSA v: k5.7.17-2-MANJARO
Network:   Device-1: Realtek RTL8111/8168/8411 PCI Express Gigabit Ethernet vendor: ASRock driver: r8169 v: kernel
           port: f000 bus ID: 02:00.0 chip ID: 10ec:8168
           IF: enp2s0 state: up speed: 1000 Mbps duplex: full mac: <filter>
           IP v4: <filter> type: dynamic noprefixroute scope: global broadcast: <filter>
           IP v6: <filter> type: dynamic noprefixroute scope: global
           IP v6: <filter> type: dynamic noprefixroute scope: global
           IP v6: <filter> type: deprecated dynamic noprefixroute scope: global
           IP v6: <filter> type: noprefixroute scope: link
           WAN IP: No WAN IP found. Connected to web? SSL issues? Try --no-dig
Drives:    Local Storage: total: 465.76 GiB used: 167.36 GiB (35.9%)
           ID-1: /dev/nvme0n1 vendor: Western Digital model: WDS500G2B0C-00PXH0 size: 465.76 GiB speed: 31.6 Gb/s
           lanes: 4 serial: <filter> rev: 211070WD scheme: GPT
           Message: No Optical or Floppy data was found.
RAID:      Message: No RAID data was found.
Partition: ID-1: / size: 457.16 GiB used: 167.35 GiB (36.6%) fs: ext4 dev: /dev/nvme0n1p2 label: N/A
           uuid: 6d3b06b6-82e6-45ce-ad6f-4d26809184e1
           ID-2: /boot/efi size: 299.4 MiB used: 280 KiB (0.1%) fs: vfat dev: /dev/nvme0n1p1 label: N/A
           uuid: AA00-8706
Swap:      Alert: No Swap data was found.
Unmounted: Message: No unmounted partitions found.
USB:       Hub: 1-0:1 info: Full speed (or root) Hub ports: 4 rev: 2.0 speed: 480 Mb/s chip ID: 1d6b:0002
           Device-1: 1-2:2 info: Creative SB X-Fi Surround 5.1 Pro type: Audio driver: snd-usb-audio interfaces: 3
           rev: 1.1 speed: 12 Mb/s chip ID: 041e:30df serial: <filter>
           Hub: 1-3:3 info: Genesys Logic Hub ports: 4 rev: 2.0 speed: 480 Mb/s chip ID: 05e3:0608
           Hub: 1-3.2:4 info: VIA Labs VL813 Hub ports: 4 rev: 2.1 speed: 480 Mb/s chip ID: 2109:2813
           Device-1: 1-3.2.1:7 info: MosArt Wireless Mouse type: Mouse driver: hid-generic,usbhid interfaces: 1
           rev: 1.1 speed: 12 Mb/s chip ID: 062a:4102
           Device-2: 1-3.2.2:5 info: Shenzhen Riitek wireless mini keyboard with touchpad type: Keyboard,Mouse
           driver: hid-generic,usbhid interfaces: 2 rev: 2.0 speed: 12 Mb/s chip ID: 1997:2433
           Hub: 1-3.2.4:6 info: VIA Labs VL813 Hub ports: 4 rev: 2.1 speed: 480 Mb/s chip ID: 2109:2813
           Hub: 2-0:1 info: Full speed (or root) Hub ports: 4 rev: 3.1 speed: 10 Gb/s chip ID: 1d6b:0003
           Hub: 3-0:1 info: Full speed (or root) Hub ports: 1 rev: 2.0 speed: 480 Mb/s chip ID: 1d6b:0002
           Device-1: 3-1:2 info: Corsair CORSAIR HS70 Pro Wireless Gaming Headset type: Audio,HID
           driver: hid-generic,snd-usb-audio,usbhid interfaces: 4 rev: 1.1 speed: 12 Mb/s chip ID: 1b1c:0a4f
           Hub: 4-0:1 info: Full speed (or root) Hub ports: 1 rev: 3.1 speed: 10 Gb/s chip ID: 1d6b:0003
Sensors:   System Temperatures: cpu: 41.5 C mobo: N/A gpu: amdgpu temp: 35 C
           Fan Speeds (RPM): fan-1: 0 fan-2: 1549 fan-3: 0 fan-4: 0 fan-5: 0
Info:      Processes: 189 Uptime: 17m Init: systemd v: 246 Compilers: gcc: 10.2.0 Packages: pacman: 1016 Shell: Zsh
           v: 5.8 running in: tty 1 (SSH) inxi: 3.1.05

Did you miss your PAM pacnews?

pacdiff -o

(you can also see the recent update announcements or related threads. ex: this one )

1 Like

These are the two pacnews that I got

/etc/fonts/fonts.conf.pacnew
/etc/locale.gen.pacnew

and I don’t have a system-auth.pacnew

These are the contents of /etc/pam.d/system-login


auth       required   pam_shells.so
auth       requisite  pam_nologin.so
auth       include    system-auth

account    required   pam_access.so
account    required   pam_nologin.so
account    include    system-auth

password   include    system-auth

session    optional   pam_loginuid.so
session    optional   pam_keyinit.so       force revoke
session    include    system-auth
session    optional   pam_motd.so          motd=/etc/motd
session    optional   pam_mail.so          dir=/var/spool/mail standard quiet
-session   optional   pam_systemd.so
session    required   pam_env.so           user_readenv=1

In other post, someone mentioned a .pam_environment file under the user home directory was the culprit for him. Do you have something like that?

Thank you for the answer. No there is no such file.

Have you check logs (journalctl) to check for possible related error messages?

It is working again. Without any intervention on the machine. wtf?

It stopped working again. Here is the output of

journalctl -b | grep -i pam 

https://8n1.org/17759/7f70

Things like

lightdm[995]: gkr-pam: no password is available for user

53 schnucky sudo[10787]: pam_unix(sudo:auth): conversation failed
Aug 30 09:35:53 schnucky sudo[10787]: pam_unix(sudo:auth): auth could not identify password for [schnucky]
Aug 30 09:36:25 schnucky sudo[10823]: pam_unix(sudo:auth): conversation failed
Aug 30 09:36:25 schnucky sudo[10823]: pam_unix(sudo:auth): auth could not identify password for [schnucky]

look worrysome.

And it started working again and I got no clue to why that is. Is there someone with more insight in PAM that can shed some light on this?

journalctl -b | grep -i pam

https://8n1.org/17760/152b

The IP you see all over the place is a VPN exit :wink:

If I understand what you are doing (you can be a little more specific on that), SSH is working, because I see success on those, but sudo isn’t working, isn’t it? Or is it all part of a graphical login?

SSH has been working all the time, luckily. I live 800km away from my brothers place.
The password stops working, not only for sudo but also for graphical password requests and starts working again on both, for no apparent reason.

can you post the content of /etc/pam.d/sudo and /etc/pam.d/system-auth, please

Sorry, got the wrong terminal.

Here you go.

▶ cat /etc/pam.d/sudo
#%PAM-1.0
auth		include		system-auth
account		include		system-auth
session		include		system-auth

schnucky@schnucky:~
▶ cat /etc/pam.d/system-auth
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
auth       [success=2 default=ignore]  pam_unix.so          try_first_pass nullok
-auth      [success=1 default=ignore]  pam_systemd_home.so
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow
password   optional                    pam_permit.so

session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

As i see here: BOINC - ArchWiki

By default, a password is created in /var/lib/boinc/gui_rpc_auth.cfg for connecting to the daemon. To simplify connection of the GUI to the daemon, cd to your home directory, create a link to the file, and change permissions to allow read access to boinc group members.

$ cd ~/ $ ln -s /var/lib/boinc/gui_rpc_auth.cfg gui_rpc_auth.cfg # chmod 640 gui_rpc_auth.cfg

If you prefer a different password, or none at all, you can edit /var/lib/boinc/gui_rpc_auth.cfg . Then restart BOINC daemon.

If you do not like the idea of having this file in your home directory, there is an alternative approach. BOINC Manager will also look for a readable gui_rpc_auth.cfg file in the current working directory. If you make the file readable by the boinc group and ensure that the manager is run with /var/lib/boinc as the working directory, you should find that the client connects to the daemon automatically, as desired. This can usually be achieved via the menu editor in your desktop environment of choice.

Could you check the permissions? Is there a symlink?Is the user in boinc group? Is the boinc service running?

Sorry, never used boinc-nox, but must be the same.

Could you try to login via boinccmd ? Maybe there is some more information?

BOINC is running and I read this bit of the wiki quite often over the past years. This is another password that is a random string generated by BOINC, which I only had to enter in boinctui to connect with the client. I don’t have the link in my homefolder and the user is not part of the boinc group, but it works.

schnucky@schnucky:/var/lib/boinc
▶ ll gui*
▕ -rw-------▏boinc:boinc│15 hour│  32B│gui_rpc_auth.cfg

Could it be that the user password is being entered wrong 3 times and it is being lock out temporary. From your log:

sudo[5160]: pam_faillock(sudo:auth): Consecutive login failures for user schnucky account temporarily locked

That could be consistent with the login working sometimes and sometimes not.

From root you can check the user failed login attemps with faillock --user schnucky and you can reset (and unlock the user) with failock --user --reset

I thought of that too, but it stops working for longer than the usual 10min.

faillock --user schnucky
schnucky:
When                Type  Source                                           Valid

I thought the root account is disabled in Manjaro.

No, the root account is not disabled (like in ubuntu). What I don’t remember is it root SSH disabled by default (although it can be easily changed).

I disable the SSH root access as standard in the sshd_config. What would be the PW of root if not set during install?

During install you have to set the root passwd or define it to be the same as your user’s. There is no default for root.

You can change it anyway with sudo passwd root