Sudo/user stops working seemingly randomly

Hi, first time posting here.

I switched from PopOs to Manjaro this weekend just gone, i gotta say i’m loving it so far. Manjaro KDE feels so much more polished and stable than Pop.

Everything so far is perfect besides one quite annoying little quirk. This is the second time in a week this has happened and i’ve no idea what i’m doing to cause it.

Basically seemingly randomly my sudo password simply stops working, reading around the forums and various other places i read this can be caused by running some updates. The first time this happened i had ran pamac to update some packages but today i haven’t ran it at all (busy day at work) but i came to disconnect from my works vpn just now which runs sudo openvpn and obviously asks for eleveted priveleges and boom, it won’t accept my password.

Before i continue let me point out this is not a capslock/user failure. I plain texted my password to enter it and i’m 100% it was correct when i was told it was incorrect.

I tried su (this works, i can get into su with su’s password) then passwd {my username} setting the password to something random, exit su and try the command again, nope… still can’t sudo as my user. Finally i tried opening the user panel via settings → Personalisation → Users. Changed my password there. Funnily enough i had to enter my password to change my own password which worked, i set it to the same as it was originally. all okay, then disconnect from vpn and BOOM! works as expected.

As you can imaging this is quite worrying as i don’t want to get into a situation first thing in the morning where i’m spending time trying to fix something that basically locks me out of most of the functionality of my machine.

So the question is twofold:

  1. Does anyone know why/how this might be happening
  2. What can I do to dig deeper to discover the root cause of this issues?

Thanks in advance

If you enter wrong password too many times it locks the account for 10 minutes by default, it may be that?

I changed that behavior on my system with editing /etc/security/faillock.conf file

There you have fail_interval, deny, unlock_time and root_unlock_time,
probably these you will want to change

Example config
# Configuration for locking the user after multiple failed
# authentication attempts.
# The directory where the user files with the failure records are kept.
# The default is /var/run/faillock.
# dir = /var/run/faillock
# Will log the user name into the system log if the user is not found.
# Enabled if option is present.
# audit
# Don't print informative messages.
# Enabled if option is present.
# silent
# Don't log informative messages via syslog.
# Enabled if option is present.
# no_log_info
# Only track failed user authentications attempts for local users
# in /etc/passwd and ignore centralized (AD, IdM, LDAP, etc.) users.
# The `faillock` command will also no longer track user failed
# authentication attempts. Enabling this option will prevent a
# double-lockout scenario where a user is locked out locally and
# in the centralized mechanism.
# Enabled if option is present.
# local_users_only
# Deny access if the number of consecutive authentication failures
# for this user during the recent interval exceeds n tries.
# The default is 3.
deny = 9
# The length of the interval during which the consecutive
# authentication failures must happen for the user account
# lock out is <replaceable>n</replaceable> seconds.
# The default is 900 (15 minutes).
fail_interval = 60
# The access will be re-enabled after n seconds after the lock out.
# The value 0 has the same meaning as value `never` - the access
# will not be re-enabled without resetting the faillock
# entries by the `faillock` command.
# The default is 600 (10 minutes).
unlock_time = 60
# Root account can become locked as well as regular accounts.
# Enabled if option is present.
# even_deny_root
# This option implies the `even_deny_root` option.
# Allow access after n seconds to root account after the
# account is locked. In case the option is not specified
# the value is the same as of the `unlock_time` option.
root_unlock_time = 60
# If a group name is specified with this option, members
# of the group will be handled by this module the same as
# the root account (the options `even_deny_root>` and
# `root_unlock_time` will apply to them.
# By default, the option is not set.
# admin_group = <admin_group_name>
1 Like

Thanks for the reply. I’m not sure this is the issue but I’ll check that config next time I’m at my machine.

I’m assuming if this is the case, entering the wrong password into a terminal too many times wouldn’t display a notification like a gui prompt might right?

sudo won’t tell you if the account is locked, it just won’t accept any password even if it is correct one