SOLVED! - can't set root or user password in chroot

Message

CooSee · Post by **CooSee** » Sat Aug 07, 2021 3:30 pm

hello,

so i decided to install gentoo from within running funtoo and almost everything went smooth, but when i try to set the root or user password it takes really awful time after entering second time >>> 5 min more or less.

but after succesfully booting into new gentoo system and entering the password i get timeout error after 60 sec. - for root and user.

using openrc-no-multilib profile.

Code: Select all

 removed - not relevant anymore

thx

Wrapped a long line to make the forum layout behave. —[profile=215889]Chiitoo[/profile]

turtles · Post by **turtles** » Sat Aug 07, 2021 5:01 pm

Sounds like a pam problem
Perhaps take a look at your

Code: Select all

 /etc/pam.d/system-auth

https://wiki.gentoo.org/wiki/PAM

I think the docs for that file is

Code: Select all

man pam.d

CooSee · Post by **CooSee** » Sat Aug 07, 2021 5:39 pm

i used the password content from my old funtoo system - from /etc/shadow - root or user is the same for me anyway

and it worked - that's a awful security bug

here are the /etc/pam.d/system-auth files:

backup from an older gentoo install from May:

Code: Select all

auth            required        pam_env.so
auth            requisite       pam_faillock.so preauth
auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
auth            [default=die]   pam_faillock.so authfail
auth            optional        pam_permit.so
account         required        pam_unix.so
account         required        pam_faillock.so
account         optional        pam_permit.so
password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password        optional        pam_permit.so
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so
session         optional        pam_permit.so

and this is from today:

Code: Select all

auth            required        pam_env.so
auth            requisite       pam_faillock.so preauth
auth            [success=1 default=ignore]      pam_unix.so nullok  try_first_pass
auth            [default=die]   pam_faillock.so authfail
account         required        pam_unix.so
account         required        pam_faillock.so
password        required        pam_passwdqc.so config=/etc/security/passwdqc.conf
password        required        pam_unix.so try_first_pass use_authtok nullok sha512 shadow
session         required        pam_limits.so
session         required        pam_env.so
session         required        pam_unix.so

can anybody please explain the difference.

only ebuild which uses 'pam' is elogind.

and none with policykit.

greetings

turtles · Post by **turtles** » Sat Aug 07, 2021 5:57 pm

I am no pam guru

CooSee wrote:i used the password content from my old funtoo system - from /etc/shadow - root or user is the same for me anyway

and it worked - that's a awful security bug

You mean you copied /etc/shadow from your Funtoo to the Genetoo as root?
Or you tried your funtoo password and it worked?

CooSee · Post by **CooSee** » Sat Aug 07, 2021 6:09 pm

turtles wrote:I am no pam guru
CooSee wrote:i used the password content from my old funtoo system - from /etc/shadow - root or user is the same for me anyway

and it worked - that's a awful security bug
You mean you copied /etc/shadow from your Funtoo to the Genetoo as root?
Or you tried your funtoo password and it worked?

i copied the cryptic line after root: $9jg$.... and username:$8fd$....

but atm i can't use passwd anyhow - just tried adding another user, but the same behavour - it's staying like this after second entry of password for couple of minutes and fails anyway:

Code: Select all

Please use a combination of upper and lower case letters and numbers.
New password: 
Re-enter new password: 
#

Post by **pietinger** » Sat Aug 07, 2021 10:09 pm

CooSee wrote:i copied the cryptic line after root: $9jg$.... and username:$8fd$....[/code]

Gentoo is using $6 meaning sha-512

TBH I dont know a $9 algorithm

See more here: https://www.slashroot.in/how-are-passwo ... adow-utils

Maybe you should set your password like everybody else with passwd (and the given password/shadow-files at the time of installation).

CooSee · Post by **CooSee** » Sat Aug 07, 2021 10:21 pm

pietinger wrote:
CooSee wrote:i copied the cryptic line after root: $9jg$.... and username:$8fd$....[/code]
Gentoo is using $6 meaning sha-512

TBH I dont know a $9 algorithm

See more here: https://www.slashroot.in/how-are-passwo ... adow-utils

Maybe you should set your password like everybody else with passwd (and the given password/shadow-files at the time of installation).

it was just an example, not the real entry

i can't change or add a password with passwd at all - maybe it has something to do with the stage 3 file

anyway, now i'am compiling ungoogled-chromium and after that i will install a clean gentoo system with ' --usepkg=y ' tomorrow.

thx

spica · Post by **spica** » Sun Aug 08, 2021 12:49 am

Interesting to see the output of these commands within chroot:

Code: Select all

pwck

Code: Select all

ls -alL $(which passwd)

Code: Select all

mount

CooSee · Post by **CooSee** » Tue Aug 10, 2021 12:16 pm

this is really weird, because i reinstalled Gentoo on another disk yesterday from running gentoo with --usepkg=y and the installation was really fast

i used current stage3 from August 8 and immediately after chrooting i tested 'passwd' and it worked flawlessly.

but after completing first time emerge @world >>> 130 packages in 6 min. and then copying my old world file from freshly installed system 2 days ago

and using second time emerge @world >>> 476 packages in 26 min. - after that i tested 'passwd' again and it failed - cpu goes up to 100% after second entry and it's like 'passwd' freezes

and doesn't change the password at all.

how can i debug 'passwd' ?

is maybe something wrong when installing from a running system?

CooSee · Post by **CooSee** » Tue Aug 10, 2021 12:32 pm

spica wrote:Interesting to see the output of these commands within chroot:
Code: Select all
pwck
Code: Select all
ls -alL $(which passwd)
Code: Select all
mount

from yesterdays system:

pwck
user 'adm': directory '/var/adm' does not exist
user 'lp': directory '/var/spool/lpd' does not exist
user 'news': directory '/var/spool/news' does not exist
user 'uucp': directory '/var/spool/uucp' does not exist
pwck: no changes

ls -alL $(which passwd)
-rws--x--x 1 root root 68856 Aug 8 20:31 /usr/bin/passwd

mount
/dev/sdc2 on / type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/dev/sdc1 on /boot/efi type vfat (rw,relatime,fmask=0022,dmask=0022,codepage=437,iocharset=ascii,shortname=mixed,utf8,errors=remount-ro)
/dev/sdc3 on /home type xfs (rw,relatime,attr2,inode64,logbufs=8,logbsize=32k,noquota)
/proc on /proc type proc (rw,relatime)
sysfs on /sys type sysfs (rw,nosuid,nodev,noexec,relatime)
securityfs on /sys/kernel/security type securityfs (rw,nosuid,nodev,noexec,relatime)
debugfs on /sys/kernel/debug type debugfs (rw,nosuid,nodev,noexec,relatime)
configfs on /sys/kernel/config type configfs (rw,nosuid,nodev,noexec,relatime)
pstore on /sys/fs/pstore type pstore (rw,nosuid,nodev,noexec,relatime)
efivarfs on /sys/firmware/efi/efivars type efivarfs (rw,nosuid,nodev,noexec,relatime)
cgroup_root on /sys/fs/cgroup type tmpfs (rw,nosuid,nodev,noexec,relatime,size=10240k,mode=755,inode64)
openrc on /sys/fs/cgroup/openrc type cgroup (rw,nosuid,nodev,noexec,relatime,release_agent=/lib/rc/sh/cgroup-release-agent.sh,name=openrc)
none on /sys/fs/cgroup/unified type cgroup2 (rw,nosuid,nodev,noexec,relatime,nsdelegate)
cpuset on /sys/fs/cgroup/cpuset type cgroup (rw,nosuid,nodev,noexec,relatime,cpuset)
cpu on /sys/fs/cgroup/cpu type cgroup (rw,nosuid,nodev,noexec,relatime,cpu)
cpuacct on /sys/fs/cgroup/cpuacct type cgroup (rw,nosuid,nodev,noexec,relatime,cpuacct)
blkio on /sys/fs/cgroup/blkio type cgroup (rw,nosuid,nodev,noexec,relatime,blkio)
memory on /sys/fs/cgroup/memory type cgroup (rw,nosuid,nodev,noexec,relatime,memory)
devices on /sys/fs/cgroup/devices type cgroup (rw,nosuid,nodev,noexec,relatime,devices)
net_cls on /sys/fs/cgroup/net_cls type cgroup (rw,nosuid,nodev,noexec,relatime,net_cls)
perf_event on /sys/fs/cgroup/perf_event type cgroup (rw,nosuid,nodev,noexec,relatime,perf_event)
net_prio on /sys/fs/cgroup/net_prio type cgroup (rw,nosuid,nodev,noexec,relatime,net_prio)
hugetlb on /sys/fs/cgroup/hugetlb type cgroup (rw,nosuid,nodev,noexec,relatime,hugetlb)
pids on /sys/fs/cgroup/pids type cgroup (rw,nosuid,nodev,noexec,relatime,pids)
rdma on /sys/fs/cgroup/rdma type cgroup (rw,nosuid,nodev,noexec,relatime,rdma)
misc on /sys/fs/cgroup/misc type cgroup (rw,nosuid,nodev,noexec,relatime,misc)
udev on /dev type devtmpfs (rw,nosuid,relatime,size=10240k,nr_inodes=4103238,mode=755,inode64)
devpts on /dev/pts type devpts (rw,relatime,gid=5,mode=620,ptmxmode=000)
tmpfs on /dev/shm type tmpfs (rw,nosuid,nodev,inode64)
mqueue on /dev/mqueue type mqueue (rw,nosuid,nodev,noexec,relatime)

thx

edit:

[ 2810.451031] pwck[4541]: segfault at c0 ip 0000701cb237e521 sp 00007ffee5a04000 error 4 in libc-2.33.so[701cb233a000+144000]
[ 2810.451057] Code: 48 89 34 24 89 4c 24 48 64 48 8b 04 25 28 00 00 00 48 89 84 24 08 05 00 00 48 8b 05 39 e9 14 00 64 8b 00 89 84 24 80 00 00 00 <8b> 87 c0 00 00 00 85 c0 0f 85 41 02 00 00 c7 87 c0 00 00 00 ff ff

the same segfault on current running system

Roman_Gruber · Post by **Roman_Gruber** » Tue Aug 10, 2021 1:19 pm

CooSee wrote:i used the password content from my old funtoo system - from /etc/shadow - root or user is the same for me anyway

and it worked - that's a awful security bug

/etc/passwd and /etc/shadow are designed that way. the generated hash is compared with the stored hash.
I do not see a security issue. You work on an unencrypted root file system, so the contents are visible and can be changed by anyone with physical access.

CooSee · Post by **CooSee** » Tue Aug 10, 2021 1:31 pm

Roman_Gruber wrote:
CooSee wrote:i used the password content from my old funtoo system - from /etc/shadow - root or user is the same for me anyway

and it worked - that's a awful security bug
/etc/passwd and /etc/shadow are designed that way. the generated hash is compared with the stored hash.
I do not see a security issue. You work on an unencrypted root file system, so the contents are visible and can be changed by anyone with physical access.

no offence to anyone - I was being sarcastic.

i never came across this kind of problem like 'passwd'.

i'll install the old fashion way - booting from gentoo minimal installation cd, maybe today at later time.

CooSee · Post by **CooSee** » Tue Aug 10, 2021 2:28 pm

i found the culprit - he calls himself 'shadow'

downgraded shadow to sys-apps/shadow-4.8.1-r4 and voila no problems changing password with 'passwd'.

now my brain can continue to fart in peace

thx @ all for assisting

greetings