Can't change root passwd - even in singleuser mode

[bobrien]

FC9 - Sulphur, x86, nothing fancy

Did an update (damn the unofficial repos!!!)

Found a problem with pam_passwdqc module.

Like the title says, I'm unable to change root's password.

I boot into singleuser mode, run passwd, get the

Code:

passwd: all authentication tokens updated successfully

response.

Boot into multiuser mode and I'm still unable to login.

Two questions:
1) Anyone have a 'default' /etc/pam.d/system-auth that I can replace with the system-auth that
was obliterated by the pam_passwdqc update?
2) Any other ideas?

[arvinddeshpande]

Isn't it somewhere on the forum people were talking about root login not allowed through UI?

Anyways /etc/pam.d/gdm has a line
auth required pam_succeed_if.so user != root quiet

Which probably means "succeed if user is not root" meaning "Fail if user is root" Comment that line and see if it works for you.

[bobrien]

arvinddeshpande,

Thanks for the reply.
I'm not even close to the UI (yet) :-)

In singleuser mode (boot to grub, edit the kernel command, add singleuser to the end, boot the system).

At the bash prompt, I appear to change the password for root successfully, but following a sync,sync and a reboot - into multiuser mode, the password still does not work.

Note: I've done this before on a number of systems - this is the first time it's failed for me....

[daverj]

this may not be a very helpful response, but check /etc/shadow before and after you change the password in single user mode and see if it actually gets written.

davidj

[bobrien]

Thanks, daverj, (I'm open to any ideas).
/etc/shadow does indeed get modified when I run passwd in singleuser mode.
I've also tried the brute force hack of editing /etc/shadow and removing the encrypted password.
I've also tried passwd -d .... and this had no effect, either.

[aleph]

Anything in the SElinux log? Maybe a bug in the SELinux policies?

[bobrien]

Nothing - SElinux is disabled. It was before and after.

[arvinddeshpande]

Now however stupid this suggestion may sound please bear with me.

You sure CAPS LOCK is not on and you are using the same password?

That is the only explanation SELinux should not do anything cause he is changing root password. So the program must have permissions to modify shadow passwords.

If I were you I will set a simple password like abcd1234 and check if that works and while setting it up will pay attention to the CAPS lock.

[bobrien]

arvinddeshpande,
Thanks - and great idea.
I checked the caps lock key - it functioned at the grub password (wouldn't let me into grub if I enabled the caps lock key and entered my password....successfully entered grub when I toggled the caps lock key).
Edited the kernel command line (played with the caps lock key off/on).
In singleuser mode, I double-checked that the caps lock functioned as expected (it did).
Still....no love.

Code:

[root@goob /]#PASSWD
bash: PASSWD: command not found

(expected...double checking capslock status)

Code:

[root@goob /]#ps
   PID TTY            TIME CMD
 1449 tty1     00:00:00 bash
 1482 tty1     00:00:00 ps

(make sure caps lock was off)

Code:

[root@goob /]#passwd
Changing password for user root.
New UNIX password: <abcd1234>
BAD PASSWORD: it is based on a dictionary word
Retype new UNIX password: <abcd1234>
passwd: all authentication tokens updated successfully.

reboot. (to runlevel 3 - skipping the gdm/xdm/kdm...

Code:

Fedora release 9 (Sulphur) Kernel 2.6.27.12-78.2.8.fc9.i686 on an i686 (tty1)

goob login:root  (I know I'm in lowercase) :)
Password: <abcd1234>
Login incorrect

login:

password for root is still not recognized.

Looks like the only recourse is a reinstall (the recovery cd doesn't help here either).
I'd sure like to figure out the issue - but it looks like this one may have to be attributed to bad luck

[alicemcline]

hi
if you think /etc/pam.d/system-auth has been messed up with probably i could provide you 1 but, default for fc10..

one way to change the password could be editting passwd, shadow files in single user mode.. (hey just guessing)

refer to http://aplawrence.com/Linux/lostlinuxpassword.html

hope this solves your problem..

[PatMcLJr]

this stuff is way over my head
but my 2 cents here
can you try and log in over ssh?

OK here's a penny back, 1 cents worth
Pat Jr

[sideways]

type the password in the user field (before you type 'root') to make sure the keyboard is mapped correctly.

If it still doesn't work, create a new root account from single user mode

Code:

adduser -o -u 0 -g 0 -d /root root2
passwd root2

and login using that

[arvinddeshpande]

Now I am thinking that for a root account the shell has been setup as /bin/nologin or something similar to disallow users to login.
This will allow users to change the password( same in this case for root ) but at the same time even after entering correct password it will not fork a proper shell like bash or ksh.

That is again one possiblity but over my head.....cause I can't think of any reason setting root shell to be un-spawn-able.

If this is not the case I would check /etc/nsswitch.conf to make sure it is using local password DB a.k.a. /etc/shadow to authenticate users/root.

In either case output of "getent passwd root" would prove helpful to see what root login shell is set up to.

Also looking at /var/log/messages and /var/log/secure might give a hint or two why this is failing.

Once again my 2 cents.

[arvinddeshpande]

God! You are able to post all that output from a Single User mode? I am talking about the first part of your post where you are changing your root passwd.
I thought Single user mode takes you to console where there is no cut-paste functionality available.

Are you able to login as a normal user? Can you do "su -" to become root in a console?

[bobrien]

I appreciate all the help, folks.

I reinstalled - restored my data - all is well.

I still don't know what caused the situation - but my money is on the qcpasswd.so.

Thanks again - I'm back up - but when you're unable to change root's passwd via singleuser mode - that scares the bejeeezuss out of me.