Bug 2150155 - Root console login fails with authselect 1.4.1-1 [NEEDINFO]
Summary: Root console login fails with authselect 1.4.1-1
Alias: None
Product: Fedora
Classification: Fedora
Component: authselect
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Pavel Březina
QA Contact: Fedora Extras Quality Assurance
Whiteboard: openqa
Depends On:
Blocks: BetaBlocker, F38BetaBlocker
TreeView+ depends on / blocked
Reported: 2022-12-01 22:38 UTC by Adam Williamson
Modified: 2022-12-09 01:31 UTC (History)
7 users (show)

Fixed In Version: authselect-1.4.2-1.fc37
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2022-12-06 11:08:32 UTC
Type: Bug
pbrezina: needinfo? (zbyszek)

Attachments (Terms of Use)

Description Adam Williamson 2022-12-01 22:38:39 UTC
The new authselect release seems entirely broken. In openQA testing, no console logins at all work after authselect is updated. Even logging into the console as "root" with no password on a live image built with the new authselect does not work, though autologin to the desktop as liveuser did work.

This is obviously an F38 blocker, per "A system installed without a graphical package set must boot to a state where it is possible to log in through at least one of the default virtual consoles."

Comment 1 Adam Williamson 2022-12-01 22:48:32 UTC
Hmm, on closer inspection, it looks like every failure is a failed attempt to login as root. Graphical desktop login as regular user with password works. Console login as regular user with password may also work; I don't *think* any of the tests we run on updates actually tried this before they failed on a root console login, so I can't say for sure. I'll sacrifice a VM to check shortly.

Comment 2 Adam Williamson 2022-12-02 00:35:16 UTC
Yep, on manual testing in a VM, confirmed the issue is that direct root login no longer works. Before updating, I can log into a test VM as root just fine. After updating, attempting to log in as root fails. Logging in as a regular user and then becoming root via `sudo su` or `su` both work OK; it's only direct login as root that fails.

The journal isn't very illuminating, just an 'authentication failure' error.

Comment 3 Pavel Březina 2022-12-02 11:11:34 UTC
This looks bad. Unfortunately, I am not able to reproduce it.

[vagrant@fedora ~]$ sudo authselect select sssd --force
Backup stored at /var/lib/authselect/backups/2022-12-02-11-08-18.SGjr3V
Profile "sssd" was selected.

Make sure that SSSD service is configured and enabled. See SSSD documentation for more information.

[vagrant@fedora ~]$ sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-9b9adb4d6d
  authselect-1.4.1-1.fc37.x86_64                                                                                      authselect-libs-1.4.1-1.fc37.x86_64                                                                                     

[vagrant@fedora ~]$ su root
[root@fedora vagrant]# cat /etc/fedora-release 
Fedora release 37 (Thirty Seven)
[root@fedora vagrant]# authselect current
Profile ID: sssd
Enabled features: None
[root@fedora vagrant]# authselect check
Current configuration is valid.

This is with latest f37 vagrant box.

Is there any missing step?

Comment 4 Pavel Březina 2022-12-02 11:40:47 UTC
Ok, I can reproduce it. It works correctly with ssh/sudo/su, it just does not work with login. It correctly tries to authenticate root with pam_unix but fails.

Dec 02 11:36:54 fedora login[2131]: pam_unix(login:auth): authentication failure; logname=LOGIN uid=0 euid=0 tty=/dev/tty1 ruser= rhost=  user=root
Dec 02 11:36:54 fedora audit[2131]: USER_AUTH pid=2131 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=PAM:authentication grantors=? acct="root" exe="/usr/bin/login" hostname=fedora addr=?>
Dec 02 11:36:57 fedora login[2131]: FAILED LOGIN 1 FROM tty1 FOR root, Authentication failure

Comment 5 Pavel Březina 2022-12-02 12:02:32 UTC
This is the breaking change: https://github.com/authselect/authselect/commit/a859e0d3584f478e6f89028211398f11c4766456

Adding systemd to shadow (shadow: files systemd) prevetes log in as root via 'login' command. Interesting is that it prevents only root login and ssh an su as root works fine.

Zbigniew, do you know why? Should I just revert the patch or there a solution or a bug in systemd?

Comment 6 Bojan Smojver 2022-12-02 14:26:54 UTC
If I'm remembering correctly, this was broken for a long time in F36, but started working after upgrade to F37 (at least in my setup). Then it got broken again with this update.

So, yeah - just root login on console doesn't work for me. Regular logins work.

Comment 7 Adam Williamson 2022-12-02 16:46:46 UTC
Bojan: it definitely was not broken in stock F36. This breaks just about every single openQA test; if it was broken in F36 I'd have a flood of red on every F36 update test.

Comment 8 Bojan Smojver 2022-12-02 19:29:39 UTC
Okay, maybe that was something local then, although I haven't touched any of it after upgrading my two machines with dnf - it just started working again. Anyhow, not really important for the current problem.

Comment 9 stan 2022-12-04 16:47:50 UTC
Seeing this in F37, downgrading to 1.4.0 fixed things.

Comment 10 Fedora Update System 2022-12-05 15:46:06 UTC
FEDORA-2022-3905763e94 has been submitted as an update to Fedora 37. https://bodhi.fedoraproject.org/updates/FEDORA-2022-3905763e94

Comment 11 Fedora Update System 2022-12-06 01:32:21 UTC
FEDORA-2022-3905763e94 has been pushed to the Fedora 37 testing repository.
Soon you'll be able to install the update with the following command:
`sudo dnf upgrade --enablerepo=updates-testing --refresh --advisory=FEDORA-2022-3905763e94`
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2022-3905763e94

See also https://fedoraproject.org/wiki/QA:Updates_Testing for more information on how to test updates.

Comment 12 Fedora Update System 2022-12-09 01:31:51 UTC
FEDORA-2022-3905763e94 has been pushed to the Fedora 37 stable repository.
If problem still persists, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.