# Password Authentication Problems



## pseudonomous (Nov 28, 2010)

Hi Everyone,

I'm dealing with a rather mysterious issue with my server "losing" my user and root password.  At any rate, I can't login at the console, with an "invalid login" error. (as root or a non-root user).  I'm not using any sort of network authentication methods, just the default out of the box authentication.  And I can go single user to reset my password.  But I'm trying to figure out WHY this happens.  I CAN still login w/ pubkeys via ssh.

If it'd happened once, I might be willing to chalk it up to my own stupidity, but it's happened repeatedly, and also occurs sometimes just for root, sometime just for the my user.

It doesn't seem particularly likely that I've got an attacker messing stuff up either either; I'm not running any internet accessible services and all I've got running locally is ssh; I'm not seeing any failed ssh logins in the logs either (though I guess a skilled attacker would wipe those).  I guess I could have gotten a rootkit via a malicious port, but that doesn't really seem too likely to me either.  I have relatively few ports installed on my base system, though I do have a whole slew that I built in a jail; still none of those are actually running since I'm still in the process of configuring stuff.

But I also don't see anything particularly enlightening in my log files, I see the failed logins logged, and that's pretty much it; nothing to indicate that PAM is screwed up or something like that.  At least nothing I could see in "auth.log" or "messages.log".

I thought this could somehow be related to me running the jail, I've been building ports in, but this doesn't consistently cause my password to "get lost".

I've got an extra loopback interface, that I'm binding a jail to in the 127.0.1.0/24 range, but this seems relatively standard, so presumable it's not the problem.

Any ideas?

Thanks in advance,
-Pseudonomous

Edit:

I've checked now that my password hashes aren't changing in /etc/master.passwd, from before I can't login.  They change after I reset my password (though, as I understand it, this is how things are supposed to work anyway), and I'll be able to log in again.

I can basically let the box sit, and after some period of time, I'll be locked out.  I suppose I might try letting in sit in single user mode and see if this still happens after some period of time.


----------



## wblock@ (Nov 28, 2010)

How often does it happen?  Is it predictable, like every night?

Trying to remember my "check the easy stuff first" rule:

Try a different keyboard in case it's a problem with the keyboard.  A rarely-used key used only in password not always typing a character, so the password doesn't work.  You change the password, not being able to see that the broken key doesn't type anything.  Next day, the key works again, password is wrong...  Or Caps Lock LED not working, NumLock, something that changes what is typed but doesn't show in normal use.


----------



## pseudonomous (Nov 29, 2010)

It seems to take about an hour or two to occur, and now seems to happen pretty reliably. I don't think it can be a simple keyboard problem, because, to verify that it was not this sort of problem, I've typed the password into the login name to verify that the right characters are being sent.  (Also, this has affected me with two different keyboards)

I've tried letting the system idle in single user mode (well ... single user mode with all filesystems mounted and w/ root executing a bash shell) ... and if  I wait awhile I won't be able to su to a normal user and su back to root.

Edit: Just to be sure, I did what you suggested and swapped out the keyboards when I had this login issue, but the problem persists.  It was a good suggestion though;

I'm wondering: Short of reading the FreeBSD source code, is there somewhere I can find more information on how the password authentication method in freebsd works (I've already read the handbook and a couple man pages, so I'm looking for something else)  I'm worried that my system is, for some reason generating the wrong hashes based on my input.  

Although that doesn't seem probable; but still:

1) the hashes in /etc/passwd don't change
2) i'm putting in good input
3) after I reset the password I'll be able to log in.

So what can possibly be going wrong?


----------



## DutchDaemon (Nov 29, 2010)

Do you have anything in the sixth or seventh fields of the records in /etc/master.passwd (other than an empty or zero value)?

[cmd=]grep -v ^# /etc/master.passwd | awk -F: '{print $1,$6,$7}'[/cmd]


----------



## Galactic_Dominator (Nov 29, 2010)

What is the contents of /etc/nsswitch.conf?


----------



## DutchDaemon (Nov 29, 2010)

Suspecting an undetected NIS implementation?


----------



## fronclynne (Nov 29, 2010)

I would back up /etc/ when I was able to log in and then diff(1) that against the running copy of /etc/ when I wasn't able to log in.


----------



## pseudonomous (Nov 30, 2010)

Here's nsswitch.conf:


```
#
# nsswitch.conf(5) - name service switch configuration file
# $FreeBSD: src/etc/nsswitch.conf,v 1.1.10.1.4.1 2010/06/14 02:09:06 kensmith Exp $
#
group: compat
group_compat: nis
hosts: files dns
networks: files
passwd: compat
passwd_compat: nis
shells: files
services: compat
services_compat: nis
protocols: files
rpc: files
```

And my 6,7 fields in /etc/master.passwd are all zeros:


```
# cat /etc/master.passwd | cut -sf 1,6,7 -d:         
# $FreeBSD
root:0:0
toor:0:0
daemon:0:0
...
```

I'll run a diff against a working/non-working /etc, but since this happens even if / is mounted read-only, I'm not real optimistic that this is going to turn something up.

Edit:  I've checked a diff of /etc and backup from before I'm unable to login, but there's no difference.  After I reset my password there's differences in:


```
/etc/masters.passwd
/etc/pwd.db
/etc/spwd.db
```
but I would be surprised if that wasn't the expected behavior.

I had a thought:

I did a zfs rollback of my root file system and I don't think this problem occurred pre-rollback (what I mean is not that I couldn't login immediatly after doing the rollback, but rather that I didn't have this problem of getting locked out for seemingly no reason prior to the rollback)  Does anybody think there's any chance that this might somehow be linked to my problem?

Again, thanks for all the assistance.


----------



## Galactic_Dominator (Nov 30, 2010)

What is the full text of the error message?


----------



## pseudonomous (Nov 30, 2010)

I"ll check this again when I'm at the machine, but IIRC the message is simply:

```
Invalid Login
```
The same as if I had entered my username or password incorrectly.  (And the the log entries look the same as well).  I can post log snippets if it would be useful.


----------

