Sudo suddenly stopped accepting correct password

Support
, ,
1

I’m not sure what i might have done that caused this, one boot sudo was working fine, the next it wasn’t, and inbetween those boots as far as i can tell i did nothing that should have affected it, I dug into the issue a bit and learned usually systemd-homed not running is the culprit for this issue.

the short version is, it wasn’t running but after starting it again i still get this error in the systemd journal:

sudo[10711]: pam_unix(sudo:auth): conversation failed
sudo[10711]: pam_unix(sudo:auth): auth could not identify password for [user]
sudo[10730]: pam_systemd_home(sudo:auth): Not a user managed by systemd-homed: No home for user user known

The slightly longer version is that i figured out systemd-homed was needed for sudo (edit: apparently it actually isn’t) and for some reason was not running; i’d start it up but it didn’t seem to affect the situation.

I remember this issue ocurred the other day but at that time a reboot fixed it, this time however it has remained a persistent issue across several reboots. Also after a bunch more testing i noticed that sometimes sudo works just after I reboot but stops working just a couple seconds after i’m logged in.

2

No. It isn’t.

3

Well, your supposition is wrong, systemd-homed is not needed for sudo.

Is there any other log entry about pam? What’s the content of /etc/pam.d/system-auth?

4

I see, well I just found it in some stackexchange answer to be honest, it was an accepted answer that seemed to work for some people to start systemd-homed when their sudo was failing the same way mine is, but it isn’t working for me.

$ cat /etc/pam.d/system-auth 
#%PAM-1.0

auth       required                    pam_faillock.so      preauth
# Optionally use requisite above if you do not want to prompt for the password
# on locked accounts.
-auth      [success=2 default=ignore]  pam_systemd_home.so
auth       [success=1 default=bad]     pam_unix.so          try_first_pass nullok
auth       [default=die]               pam_faillock.so      authfail
auth       optional                    pam_permit.so
auth       required                    pam_env.so
auth       required                    pam_faillock.so      authsucc
# If you drop the above call to pam_faillock.so the lock will be done also
# on non-consecutive authentication failures.

-account   [success=1 default=ignore]  pam_systemd_home.so
account    required                    pam_unix.so
account    optional                    pam_permit.so
account    required                    pam_time.so

-password  [success=1 default=ignore]  pam_systemd_home.so
password   required                    pam_unix.so          try_first_pass nullok shadow sha512
password   optional                    pam_permit.so

-session   optional                    pam_systemd_home.so
session    required                    pam_limits.so
session    required                    pam_unix.so
session    optional                    pam_permit.so

There were a lot of repeats of the log entries I mentioned about pam, but besides that these are all the entries I could find:

$ journalctl -b0 | grep pam
ágú 08 22:53:24 Thulebox sddm-helper[825]: gkr-pam: no password is available for user
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_kwallet5(sddm-autologin:auth): pam_kwallet5: pam_sm_authenticate
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_kwallet5(sddm-autologin:auth): pam_kwallet5: Couldn't get password (it is empty)
ágú 08 22:53:24 Thulebox audit[825]: USER_AUTH pid=825 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:authentication grantors=pam_faillock,pam_shells,pam_permit,pam_gnome_keyring acct="user" exe="/usr/lib/sddm/sddm-helper" hostname=? addr=? terminal=? res=success'
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_systemd_home(sddm-autologin:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
ágú 08 22:53:24 Thulebox audit[825]: USER_ACCT pid=825 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="user" exe="/usr/lib/sddm/sddm-helper" hostname=? addr=? terminal=? res=success'
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_kwallet5(sddm-autologin:setcred): pam_kwallet5: pam_sm_setcred
ágú 08 22:53:24 Thulebox audit[825]: CRED_ACQ pid=825 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:setcred grantors=pam_faillock,pam_shells,pam_permit,pam_gnome_keyring acct="user" exe="/usr/lib/sddm/sddm-helper" hostname=? addr=? terminal=? res=success'
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_unix(sddm-autologin:session): session opened for user user(uid=1000) by (uid=0)
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_unix(sddm-autologin:session): session opened for user user(uid=1000) by (uid=0)
ágú 08 22:53:24 Thulebox systemd[827]: pam_systemd_home(systemd-user:account): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
ágú 08 22:53:24 Thulebox audit[827]: USER_ACCT pid=827 uid=0 auid=4294967295 ses=4294967295 subj==unconfined msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_permit,pam_time acct="user" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
ágú 08 22:53:24 Thulebox systemd[827]: pam_warn(systemd-user:setcred): function=[pam_sm_setcred] flags=0x8002 service=[systemd-user] terminal=[] user=[user] ruser=[<unknown>] rhost=[<unknown>]
ágú 08 22:53:24 Thulebox systemd[827]: pam_unix(systemd-user:session): session opened for user user(uid=1000) by (uid=0)
ágú 08 22:53:24 Thulebox systemd[827]: pam_unix(systemd-user:session): session opened for user user(uid=1000) by (uid=0)
ágú 08 22:53:24 Thulebox systemd[827]: pam_env(systemd-user:session): deprecated reading of user environment enabled
ágú 08 22:53:24 Thulebox audit[827]: USER_START pid=827 uid=0 auid=1000 ses=2 subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_loginuid,pam_keyinit,pam_systemd_home,pam_limits,pam_unix,pam_permit,pam_unix,pam_mail,pam_systemd,pam_env acct="user" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_env(sddm-autologin:session): deprecated reading of user environment enabled
ágú 08 22:53:24 Thulebox sddm-helper[825]: gkr-pam: couldn't unlock the login keyring.
ágú 08 22:53:24 Thulebox sddm-helper[825]: pam_kwallet5(sddm-autologin:session): pam_kwallet5: pam_sm_open_session
ágú 08 22:53:24 Thulebox sddm-helper[844]: pam_kwallet5: final socket path: /run/user/1000/kwallet5.socket
ágú 08 22:53:24 Thulebox audit[825]: USER_START pid=825 uid=0 auid=1000 ses=1 subj==unconfined msg='op=PAM:session_open grantors=pam_loginuid,pam_keyinit,pam_systemd_home,pam_limits,pam_unix,pam_permit,pam_unix,pam_mail,pam_systemd,pam_env,pam_gnome_keyring,pam_kwallet5 acct="user" exe="/usr/lib/sddm/sddm-helper" hostname=? addr=? terminal=:0 res=success'
ágú 08 22:53:27 Thulebox plasma_session[883]: org.kde.plasma.session: Starting autostart service  "/etc/xdg/autostart/pam_kwallet_init.desktop" ("/usr/lib/pam_kwallet_init")
ágú 08 22:53:27 Thulebox plasma_session[883]: org.kde.plasma.session: Starting autostart service  "/etc/xdg/autostart/pamac-tray-plasma.desktop" ("/usr/bin/pamac-tray-plasma")
ágú 08 22:53:29 Thulebox sudo[1544]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
5

That usually means that you actually did do something that affected it. :stuck_out_tongue:

You, yourself, know the best what you did before it started happening. Try tracing your steps back and undo things, ie. remove any aur package you installed, undo any configurations you did, etc.

Other than that, try reinstalling pam, pambase, shadow and sudo.

6
2 Likes
7

tried this, didn’t work.

@zbe tried this too, didn’t work either. :frowning:

I just tested it again a bit and it seems consistent that just after i reboot, sudo works, but a few seconds later it will stop working.

edit: wait, the faillock thing DID work, i get this result:

When                Type  Source                                           Valid
2022-08-09 15:54:46 SVC   sudo                                                 V
2022-08-09 15:54:49 SVC   sudo                                                 V
2022-08-09 15:54:52 SVC   sudo                                                 V

Then I reset and get this result:

When                Type  Source                                           Valid

But if I check again a few seconds later I get this result again:

When                Type  Source                                           Valid
2022-08-09 15:55:34 SVC   sudo                                                 V
2022-08-09 15:55:37 SVC   sudo                                                 V
2022-08-09 15:55:41 SVC   sudo                                                 V

Something seems to be activating this faillock automatically over and over, but I can’t for the life of me guess what

Edit2: found it, it was conky?! I don’t understand…

cat .conky/conkyrc.lua | grep sudo doesn’t find anything at all, it must be a bug in conky, some command i’m using has gotta be causing it…

But yes when i start conky it apparently spams this at me:

[sudo] password for user: 
sudo: unable to read password: Input/output error
sudo: a password is required

Edit2: I found it, was a user script that i needed to update because of some system changes that conky was using. Gonna mark the faillock thing as the solution because it lead to me discovering the problem :slight_smile:

8

Yeah seems about right…told you so. :stuck_out_tongue:

9

Tracing back changes is easy with btrfs and snapper or timeshift :innocent:

10

Yeah you did, i said i couldn’t remember anything not that I hadn’t done something, I knew i most likely had, but retracing my steps wasn’t doable, I’d done a lot of administration over the past couple days so i needed a starting point to figure it out from.

I needed a clue, and I got it from faillock.

1 Like
11

In the future when such situation occurs, always create a fresh new user, and see if the issues you have appear on this fresh user. If the new user doesn’t have issues, you have a local issue for your user then, it shouldn’t be a system wide issue.

2 Likes
12

This topic was automatically closed 2 days after the last reply. New replies are no longer allowed.