Password dead after latest update

Never had this happen to me in 25 years of using Linux.

After rebooting following today’s updates, I logged in as usual without a hitch. I needed to check the status of the vmware network, so I tried this - sudo vmware-network --status and got this result:

Mar 02 09:36:36 audit[2885]: USER_AUTH pid=2885 uid=1000 auid=1000 ses=3 subj==unconfined msg='op=PAM:authentication grantors=? acct="ajgringo619" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Mar 02 09:37:38 sudo[2885]: pam_unix(sudo:auth): conversation failed
Mar 02 09:37:38 audit[2885]: USER_AUTH pid=2885 uid=1000 auid=1000 ses=3 subj==unconfined msg='op=PAM:authentication grantors=? acct="ajgringo619" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=failed'
Mar 02 09:37:38 sudo[2885]: pam_unix(sudo:auth): auth could not identify password for [ajgringo619]
Mar 02 09:37:40 sudo[2885]: ajgringo619 : 1 incorrect password attempt ; TTY=pts/1 ; PWD=/home/ajgringo619 ; USER=root ; COMMAND=/usr/bin/vmware-networks --status

I found that all of my sudo attempts were failing, so I got to root via su and reset the password. Same failure. What can I do to fix this???

Can we see the output of:

sudo cat /etc/sudoers | grep -v '^\s*$\|^\s*\#' 
sudo find /etc/sudoers.d  -exec grep -v '^\s*$\|^\s*\#' {} \;
sudo cat /etc/sudoers | grep -v '^\s*$\|^\s*\#'
[sudo] password for ajgringo619: 
root ALL=(ALL:ALL) ALL
@includedir /etc/sudoers.d
$ sudo find /etc/sudoers.d  -exec grep -v '^\s*$\|^\s*\#' {} \;
grep: /etc/sudoers.d: Is a directory
%wheel ALL=(ALL) ALL
Defaults!/etc/ctdb/statd-callout	!requiretty
rpcuser		ALL=(ALL) 	NOPASSWD: /etc/ctdb/statd-callout
Host_Alias	MY_HOST =	dss-endeavouros
Host_Alias      ARCH =          dss-endeavouros, \
                                vm-arch-kde
Host_Alias      DEBIAN =        vm-debian-9-kde, \
                                vm-debian-11-xfce, \ 
                                vm-lm-20-cin, \
                                vm-ubuntu-20-gnome
Host_Alias      REDHAT =        vm-fedora-35-xfce
Host_Alias      SUSE =          vm-suse-tw-kde
Host_Alias      LINUX =         ARCH, DEBIAN, REDHAT, SUSE
Host_Alias      LINUX_MSGS =    ARCH, DEBIAN
Cmnd_Alias      CFG =           /usr/local/bin/inxi, \
                                /usr/bin/inxi
Cmnd_Alias      LINUX_FS =      /usr/bin/btrfs, /usr/sbin/btrfs, \
                                /usr/bin/fdisk, /usr/sbin/fdisk, \
                                /usr/bin/mount, /usr/bin/umount, \
                                /usr/bin/snapper
ajgringo619     ALL =           NOPASSWD: CFG
ajgringo619     LINUX =         NOPASSWD: LINUX_FS
ajgringo619     LINUX_MSGS =    NOPASSWD: /usr/bin/dmesg, \
                                          /usr/bin/journalctl
ajgringo619     MY_HOST =       NOPASSWD: /usr/bin/nvidia-smi -i 0 -pl 120
ajgringo619     MY_HOST =       NOPASSWD: /usr/bin/nvidia-smi -i 1 -pl 60

Hmmm…somehow you tricked my system into working again. After running these commands - which should not have worked - my sudo is fixed! :upside_down_face:

I just realized I asked you run commands with sudo to troubleshoot your issue with sudo
:man_facepalming:

6 Likes

Hahaha, I noticed that, though I did end up finding out about insults because of this, as useless as it is I love little things like this

It wasn’t just my sudo password that was hosed; even my no-password entries weren’t working. I did find some more journal entries that might shed some light on what happened:

Mar 02 09:34:03 sudo[2008]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Mar 02 09:34:03 audit[2008]: USER_AUTH pid=2008 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:authentication grantors=? acct="ajgringo619" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=failed'
Mar 02 09:34:03 sudo[2008]: pam_unix(sudo:auth): conversation failed
Mar 02 09:34:03 sudo[2008]: pam_unix(sudo:auth): auth could not identify password for [ajgringo619]
Mar 02 09:34:05 dbus-daemon[949]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.60' (uid=0 pid=2013 comm="sudo /usr/bin/nvidia-smi --id=0 --power-limit=120 ")
Mar 02 09:34:05 sudo[2013]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Mar 02 09:34:05 sudo[2013]: pam_unix(sudo:auth): conversation failed
Mar 02 09:34:05 audit[2013]: USER_AUTH pid=2013 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:authentication grantors=? acct="ajgringo619" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=failed'
Mar 02 09:34:05 sudo[2013]: pam_unix(sudo:auth): auth could not identify password for [ajgringo619]
Mar 02 09:34:08 dbus-daemon[949]: [system] Activating via systemd: service name='org.freedesktop.home1' unit='dbus-org.freedesktop.home1.service' requested by ':1.61' (uid=0 pid=2288 comm="sudo /usr/bin/nvidia-smi --id=1 --power-limit=60 ")
Mar 02 09:34:08 sudo[2288]: pam_systemd_home(sudo:auth): systemd-homed is not available: Unit dbus-org.freedesktop.home1.service not found.
Mar 02 09:34:08 sudo[2288]: pam_unix(sudo:auth): conversation failed
Mar 02 09:34:08 audit[2288]: ANOM_LOGIN_FAILURES pid=2288 uid=1000 auid=1000 ses=2 subj==unconfined msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Mar 02 09:34:08 audit[2288]: RESP_ACCT_LOCK pid=2288 uid=1000 auid=1000 ses=2 subj==unconfined msg='pam_faillock uid=1000  exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=success'
Mar 02 09:34:08 audit[2288]: USER_AUTH pid=2288 uid=1000 auid=1000 ses=2 subj==unconfined msg='op=PAM:authentication grantors=? acct="ajgringo619" exe="/usr/bin/sudo" hostname=? addr=? terminal=? res=failed'
Mar 02 09:34:08 sudo[2288]: pam_unix(sudo:auth): auth could not identify password for [ajgringo619]
Mar 02 09:34:08 sudo[2288]: pam_faillock(sudo:auth): Consecutive login failures for user ajgringo619 account temporarily locked

While I’m certain that I used the right password, it’s possible that I didn’t. Maybe I just had to wait until the sudo-imposed lockout expired.

If faillock has triggered and locked the account then even if you use the correct password it won’t help until it has reset.

1 Like

If Monty Python were in tech support… :wink:

2 Likes

You can change the number of failed password attempts that triggers faillock by editing /etc/security/faillock.conf.

deny = [n]

I think the default is 3 (?), 0 is infinite incorrect attempts.

1 Like

Thanks for the tip; yes, 3 is the default. Since I obviously triggered this with the failed sudo passwords, should it have locked out my user account from all logins as well? I was able to logout and log back in right after this happened, so I’m confused as to how this actually works.

https://wiki.archlinux.org/title/Security#Lock_out_user_after_three_failed_login_attempts

2 Likes

For whatever reason, the lockout did not restrict my ability to login via Cinnamon/lightdm. I appreciate the link.

Well…I found the solution; operator-error as usual. I ran into the same problem after my last update/reboot, so I was ready to pull the last of my hair out. I checked the system journal and found that there were (3) failed attempts to run sudo, which were happening on a startup script I use to set my (2) Nvidia GPUs for FoldingatHome (reduced power, persistence).

I’ve been in the habit of updating my scripts/aliases to use the long versions of command-line switches; just makes it easier for me to figure out what it’s doing if/when I come back to it later. However, after switching the script to use the long names, I forgot to make the necessary update to my sudo commands: (3) different sudo commands, (3) failures = lockout:

new: sudo /usr/bin/nvidia-smi --id=1 --power-limit=60
old: sudo /usr/bin/nvidia-smi -i 1 -pl 60