CentOS PAM unable to open /etc/pam.d/system-auth

linux centos password pam
10,328

Yeah, got it! Guys were right. selinux context was broken for config files.

Just run 

restorecon -Rv /etc/pam.d

in single user mode signle init=/bin/bash in GRUB. Then reboot and wait until filesystem is autorelabled by selinux.

That's it!

UPDATE: For those who want to disable SC auth: Go to the /etc/sysconfig/authconfig and set FORCESMARTCARD and USESMARTCARD to no. Do not try to delete any files in /etc/pam.d ! ;)

Share:
10,328
twim
Author by

twim

Updated on September 18, 2022

Comments

  • twim
    twim over 1 year

    In gdm I have checked "Require smartcard login" but forgot about adding any smartcard for authentication. Then I've tried to boot from LiveCD and disable SC auth. Something went wrong and now I am not able to login to any user in system ("Login incorrect" for any user without prompting password. From /var/log/secure:

    May 18 14:50:07 myloginname sshd[5180]: Server listening on 0.0.0.0 port 22.
May 17 14:50:07 myloginname sshd[5180]: Server listening on :: port 22.
May 17 14:50:28 myloginname polkitd(authority=local): Registered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26 [/usr/libexec/polkit-gnome-authentication-agent-1], object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8)
May 17 14:50:32 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:32 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:32 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:32 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:32 myloginname pam: gdm-password: gkr-pam: no password is available for user
May 17 14:50:36 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:36 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:36 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:36 myloginname pam: gdm-password: PAM _pam_load_conf_file: unable to open /etc/pam.d/password-auth
May 17 14:50:36 myloginname pam: gdm-password: gkr-pam: no password is available for user
May 17 14:50:41 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:41 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:41 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:41 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:41 myloginname login: FAILED LOGIN SESSION FROM (null) FOR r, Permission denied
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: FAILED LOGIN SESSION FROM (null) FOR r, Permission denied
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: FAILED LOGIN SESSION FROM (null) FOR r, Permission denied
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:42 myloginname login: FAILED LOGIN SESSION FROM (null) FOR r, Permission denied
May 17 14:50:44 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:44 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:44 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:44 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:44 myloginname login: FAILED LOGIN SESSION FROM (null) FOR rppt, Permission denied
May 17 14:50:47 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:47 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:47 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:47 myloginname login: PAM _pam_load_conf_file: unable to open /etc/pam.d/system-auth
May 17 14:50:47 myloginname login: FAILED LOGIN SESSION FROM (null) FOR root, Permission denied
May 17 14:50:49 myloginname polkitd(authority=local): Unregistered Authentication Agent for session /org/freedesktop/ConsoleKit/Session1 (system bus name :1.26, object path /org/gnome/PolicyKit1/AuthenticationAgent, locale en_US.UTF-8) (disconnected from bus)
May 17 14:50:51 myloginname sshd[5180]: Received signal 15; terminating.

    BTW, files /etc/pam.d/* are ok, permissions too. Help me please. Thanks!

    UPDATE

    root@kali:/media/blabla/etc/pam.d# ls -lh
total 208K
-rw-r--r--. 1 root root  272 Jan 30  2012 atd
-rw-r--r--. 1 root root   97 Feb 22  2013 authconfig
-rw-r--r--. 1 root root   97 Feb 22  2013 authconfig-gtk
-rw-r--r--. 1 root root   97 Feb 22  2013 authconfig-tui
-rw-r--r--. 1 root root  192 Nov 21 18:00 chfn
-rw-r--r--. 1 root root  192 Nov 21 18:00 chsh
-rw-r--r--. 1 root root  232 Nov 21 21:45 config-util
-rw-r--r--. 1 root root  293 Nov 21 16:19 crond
-rw-r--r--. 1 root root   71 Nov 21 16:18 cvs
-rw-r--r--. 1 root root  115 Nov 23  2010 eject
-rw-r--r--. 1 root root   71 Oct 28  2012 exim
-rw-r--r--. 1 root root  708 Nov 21 22:05 gdm
-rw-r--r--. 1 root root  480 Nov 21 22:05 gdm-autologin
-rw-r--r--. 1 root root  489 Nov 21 22:05 gdm-fingerprint
-rw-r--r--. 1 root root  701 Nov 21 22:05 gdm-password
-rw-r--r--. 1 root root  485 Nov 21 20:08 gnome-screensaver
-rw-r--r--. 1 root root  147 Oct  5  2009 halt
-rw-r--r--. 1 root root  134 Jul  8  2008 kcheckpass
-rw-r--r--. 1 root root  134 Jul  8  2008 kscreensaver
-rw-r--r--. 1 root root   70 Aug 28  2013 ksu
-rw-r--r--. 1 root root  728 Nov 21 18:00 login
-rw-r--r--. 1 root root  172 Nov 21 18:35 newrole
-rw-r--r--. 1 root root  336 May 26  2011 opcontrol
-rw-r--r--. 1 root root  154 Nov 21 21:45 other
-rw-r--r--. 1 root root  146 Feb 22  2012 passwd
lrwxrwxrwx. 1 root root   16 May 29  2013 password-auth -> password-auth-ac
-rw-r--r--  1 root root  935 May 17 10:42 password-auth-ac
-rw-r--r--. 1 root root  155 Sep 19  2013 polkit-1
-rw-r--r--. 1 root root  147 Oct  5  2009 poweroff
-rw-r--r--. 1 root root  144 Nov 24  2010 ppp
-rw-r--r--. 1 root root  147 Oct  5  2009 reboot
-rw-r--r--. 1 root root  613 Nov 21 18:00 remote
-rw-r--r--. 1 root root  167 Nov 21 18:35 run_init
-rw-r--r--. 1 root root  143 Oct 17  2013 runuser
-rw-r--r--. 1 root root  105 Oct 17  2013 runuser-l
-rw-r--r--. 1 root root  145 Jun  3  2013 setup
-rw-r--r--. 1 root root  575 Nov 25 16:50 sshd
-rw-r--r--. 1 root root  341 Nov 25 16:50 ssh-keycat
-rw-r--r--. 1 root root  487 Oct 17  2013 su
-rw-r--r--. 1 root root  202 Nov 21 18:03 sudo
-rw-r--r--. 1 root root  187 Nov 21 18:03 sudo-i
-rw-r--r--. 1 root root  137 Oct 17  2013 su-l
lrwxrwxrwx. 1 root root   14 May 29  2013 system-auth -> system-auth-ac
-rw-r--r--  1 root root 1.1K May 16 23:01 system-auth~
-rw-r--r--  1 root root 1.1K May 17 08:44 system-auth-ac
-rw-r--r--. 1 root root   97 Feb 22  2013 system-config-authentication
-rw-r--r--. 1 root root   97 Jul 22  2013 system-config-date
-rw-r--r--. 1 root root   97 Feb 21  2013 system-config-kdump
-rw-r--r--. 1 root root   97 Jun 12  2013 system-config-keyboard
-rw-r--r--. 1 root root   97 Nov 24  2010 system-config-network
-rw-r--r--. 1 root root   97 Nov 24  2010 system-config-network-cmd
-rw-r--r--. 1 root root  118 Oct 18  2012 system-config-users
-rw-r--r--. 1 root root  233 Mar 31 19:00 wireshark
-rw-r--r--. 1 root root  163 Dec 23 21:36 xserver



root@kali:/media/blabla/etc/pam.d# cat system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so

auth        [success=1 default=ignore] pam_succeed_if.so service notin login:gdm:xdm:kdm:xscreensaver:gnome-screensaver:kscreensaver quiet use_uid

#auth        sufficient    pam_fprintd.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so



root@kali:/media/blabla/etc/pam.d# cat password-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
#auth        required      pam_deny.so
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 500 quiet
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 500 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so try_first_pass retry=3 type=
password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so
    • MadHatter
      MadHatter about 10 years
      Do the files /etc/pam.d/{system,password}-auth exist? What's the output of cat /selinux/enforce?
    • MastaJeet
      MastaJeet about 10 years
      Well the dots in the ls output (e.g. -rw-r--r--**.**) indicate there is an selinux context associated with the file so I think @MadHatter may be on to something. Is there anything interesting in /media/blabla/var/log/audit/audit.log?
    • twim
      twim about 10 years
      No, last entry made year ago.
  • MadHatter
    MadHatter about 10 years
    Odd how that affected anything, given that selinux was off. But I'm glad you're back up and running.
  • twim
    twim about 10 years
    I think that when trying to disable SC auth I have changed these files. That's why selinux context was corrupted. Thanks for help!

Recents

Why Is PNG file with Drop Shadow in Flutter Web App Grainy?
How to troubleshoot crashes detected by Google Play Store for Flutter app
Cupertino DateTime picker interfering with scroll behaviour
Why does awk -F work for most letters, but not for the letter "t"?
Flutter change focus color and icon color but not works
How to print and connect to printer using flutter desktop via usb?
Critical issues have been reported with the following SDK versions: com.google.android.gms:play-services-safetynet:17.0.0
Flutter Dart - get localized country name from country code
navigatorState is null when using pushNamed Navigation onGenerateRoutes of GetMaterialPage
Android Sdk manager not found- Flutter doctor error
Flutter Laravel Push Notification without using any third party like(firebase,onesignal..etc)
How to change the color of ElevatedButton when entering text in TextField

Related

Is it possible to change password database file(/etc/passwd) in linux?
Disable password complexity check (PAM)
mkpasswd on Centos 7 does not support -m flag
Why isn't my cronjob running?
How to access Unix passwd file from Apache when using .htaccess?
Users cannot use crontab after password security upgrade
Winbind PAM.D AD Groups, CentOS 5, Allow Only?
Ubuntu password policy
Script fails to run on login when using pam_exec.so to run a script as root
Policy in /etc/pam.d/password-auth is not being enforced