Introduction

PAM (Pluggable Authentication Modules) is the authentication framework used by Linux for login, SSH, sudo, and other authentication tasks. When the /etc/shadow file permissions are modified, corrupted, or have incorrect SELinux contexts, PAM modules like pam_unix.so cannot verify passwords, causing all local authentication to fail. This can lock out all users from the system.

Symptoms

  • Login prompt rejects correct passwords with Login incorrect
  • su and sudo fail even for root
  • SSH authentication fails with Permission denied (publickey,password)
  • /var/log/auth.log shows pam_unix(sshd:auth): authentication failure
  • journalctl shows pam_unix(login:auth): check pass; user unknown

Common Causes

  • /etc/shadow permissions changed from 0640 or 0000 (should be 0640 owned by root:shadow)
  • /etc/shadow file deleted or corrupted
  • SELinux context on /etc/shadow incorrect after manual copy or restore
  • shadow group missing from the system
  • PAM configuration modified incorrectly (e.g., common-auth edited)

Step-by-Step Fix

  1. 1.Boot from rescue media or use single-user mode to access the system:
  2. 2.- At GRUB menu, edit the kernel line and append init=/bin/bash
  3. 3.- Boot and remount root as read-write:
  4. 4.```bash
  5. 5.mount -o remount,rw /
  6. 6.`
  7. 7.Verify and fix shadow file permissions:
  8. 8.```bash
  9. 9.ls -la /etc/shadow
  10. 10.# Should be: -rw-r----- 1 root shadow
  11. 11.chown root:shadow /etc/shadow
  12. 12.chmod 640 /etc/shadow
  13. 13.`
  14. 14.Verify the shadow group exists:
  15. 15.```bash
  16. 16.getent group shadow
  17. 17.# If missing:
  18. 18.groupadd shadow
  19. 19.chown root:shadow /etc/shadow
  20. 20.`
  21. 21.Fix SELinux context if applicable:
  22. 22.```bash
  23. 23.# Check current context
  24. 24.ls -Z /etc/shadow
  25. 25.# Restore correct context
  26. 26.restorecon -v /etc/shadow
  27. 27.# Or set manually
  28. 28.chcon -t shadow_t /etc/shadow
  29. 29.`
  30. 30.Verify PAM configuration is intact:
  31. 31.```bash
  32. 32.cat /etc/pam.d/common-auth
  33. 33.# Should contain:
  34. 34.# auth [success=1 default=ignore] pam_unix.so nullok
  35. 35.# Verify critical PAM files
  36. 36.pam-auth-update
  37. 37.`
  38. 38.Test authentication:
  39. 39.```bash
  40. 40.passwd # Try changing a user password
  41. 41.su - username # Test login
  42. 42.`

Prevention

  • Never manually edit /etc/shadow; always use passwd, usermod, or chpasswd
  • Include /etc/shadow permission checks in system audit scripts
  • Use configuration management to enforce PAM file integrity
  • Test PAM changes in a separate terminal session before closing the current one
  • Keep a root shell open when modifying PAM or shadow-related files