The new authselect release seems entirely broken. In openQA testing, no console logins at all work after authselect is updated. Even logging into the console as "root" with no password on a live image built with the new authselect does not work, though autologin to the desktop as liveuser did work.
This is obviously an F38 blocker, per "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles."
Hmm, on closer inspection, it looks like every failure is a failed attempt to login as root. Graphical desktop login as regular user with password works. Console login as regular user with password may also work; I don't *think* any of the tests we run on updates actually tried this before they failed on a root console login, so I can't say for sure. I'll sacrifice a VM to check shortly.
Yep, on manual testing in a VM, confirmed the issue is that direct root login no longer works. Before updating, I can log into a test VM as root just fine. After updating, attempting to log in as root fails. Logging in as a regular user and then becoming root via `sudo su` or `su` both work OK; it's only direct login as root that fails.
The journal isn't very illuminating, just an 'authentication failure' error.
This looks bad. Unfortunately, I am not able to reproduce it.
[vagrant@fedora ~]$ sudo authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2022-12-02-11-08-18.SGjr3V
Profile "sssd" was selected.
Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.
[vagrant@fedora ~]$ sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9b9adb4d6d
[vagrant@fedora ~]$ su root
[root@fedora vagrant]# cat /etc/fedora-release
Fedora release 37 (Thirty Seven)
[root@fedora vagrant]# authselect current
Profile ID: sssd
Enabled features: None
[root@fedora vagrant]# authselect check
Current configuration is valid.
This is with latest f37 vagrant box.
Is there any missing step?
Ok, I can reproduce it. It works correctly with ssh/sudo/su, it just does not work with login. It correctly tries to authenticate root with pam_unix but fails.
Dec 02 11:36:54 fedora login: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost= user=root
Dec 02 11:36:54 fedora audit: USER_AUTH pid=2131 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/login" hostname=fedora addr=?>
Dec 02 11:36:57 fedora login: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure
This is the breaking change: https://github.com/authselect/authselect/commit/a859e0d3584f478e6f89028211398f11c4766456
Adding systemd to shadow (shadow: files systemd) prevetes log in as root via 'login' command. Interesting is that it prevents only root login and ssh an su as root works fine.
Zbigniew, do you know why? Should I just revert the patch or there a solution or a bug in systemd?
If I'm remembering correctly, this was broken for a long time in F36, but started working after upgrade to F37 (at least in my setup). Then it got broken again with this update.
So, yeah - just root login on console doesn't work for me. Regular logins work.
Bojan: it definitely was not broken in stock F36. This breaks just about every single openQA test; if it was broken in F36 I'd have a flood of red on every F36 update test.
Okay, maybe that was something local then, although I haven't touched any of it after upgrading my two machines with dnf - it just started working again. Anyhow, not really important for the current problem.
Seeing this in F37, downgrading to 1.4.0 fixed things.
FEDORA-2022-3905763e94 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3905763e94
FEDORA-2022-3905763e94 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-3905763e94`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3905763e94
See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.
FEDORA-2022-3905763e94 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.