Hello,
I had installed Linux and everything was OK. It is RHEL5, but this
seems to be not an important fact.

Now:
I could login to that machine as root when I was connected directly
to it.
I could also login to that machine as root by ssh from other
machines on the LAN.

After somebody else did some installations on this machine (as root),
the following happened:
I could **NOT** login to that machine as root when I was connected
directly to it.
When I entered, at the login prompt, the root as user name and the
password, there was a message of
"user unknown" for half a second or less (I could hardly read it ) and
that it ! the message vanished , and it returned to the login screen.


I want to emphasize that strange as it may seem, I ***could*** login
to that machine as root by ssh from other machines on the LAN with the
same password, even when I was denied doing
it when I was root as depicted above. So the password is OK.

I want also to emphasize that I made sure that the /etc/passwd does
include "root" entry,
and it does.

Any ideas what can be the reason for it and what should I do to enable
login
as root when connected directly ? What is going here ?


Regards,
IB

ianbrn@gmail.com wrote:
> Hello,
> I had installed Linux and everything was OK. It is RHEL5, but this
> seems to be not an important fact.
>
> Now:
> I could login to that machine as root when I was connected directly
> to it.
> I could also login to that machine as root by ssh from other
> machines on the LAN.
>
> After somebody else did some installations on this machine (as root),
> the following happened:
> I could **NOT** login to that machine as root when I was connected
> directly to it.
> When I entered, at the login prompt, the root as user name and the
> password, there was a message of
> "user unknown" for half a second or less (I could hardly read it ) and
> that it ! the message vanished , and it returned to the login screen.
>
>
> I want to emphasize that strange as it may seem, I ***could*** login
> to that machine as root by ssh from other machines on the LAN with the
> same password, even when I was denied doing
> it when I was root as depicted above. So the password is OK.
>
> I want also to emphasize that I made sure that the /etc/passwd does
> include "root" entry,
> and it does.
>
> Any ideas what can be the reason for it and what should I do to enable
> login
> as root when connected directly ? What is going here ?
>
>
> Regards,
> IB

Sounds like someone has written a program pretending to be a shell, and
left it running.

Try a different console or Ctrl C or CTRL D
>

On Thu, 06 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
<1189104898.984110.53080@22g2000hsm.googlegroups.c om>, ianbrn@gmail.com wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>After somebody else did some installations on this machine (as root),
>the following happened:
> I could **NOT** login to that machine as root when I was connected
>directly to it.
>When I entered, at the login prompt, the root as user name and the
>password, there was a message of
>"user unknown" for half a second or less (I could hardly read it ) and
>that it ! the message vanished , and it returned to the login screen.

A lot depends on how your SSH setup is configured - it often does NOT
use the same files for login and shell startup as compared to logging in
directly at a console login prompt. Something set to run locally when
root logs in has been misconfigured. Note that the login mechanism and
files used are different between run-level 3 and 5 (as well as being
different from those used when coming in via SSH). See the man pages
for your shell, 'login' and any GUI display manager ('kdm', 'gdm', 'xdm'
or similar) you may be using.

>I want also to emphasize that I made sure that the /etc/passwd does
>include "root" entry,
>and it does.

Yeah, a lot of other stuff would die if that entry were missing.

>Any ideas what can be the reason for it and what should I do to enable
>login as root when connected directly ? What is going here ?

Start by seeing if you can log in as a _regular_ user, and then 'su'
(BUT WITHOUT THE DASH [su -] so that you retain the environment of the
regular user. If so,

1. Look in /var/log/secure and /var/log/messages to see what is being
logged for complaints.
2. 'cd' (no options or parameters), which should change the PWD to
root's home directory. 'la -lArt' and see what files have been changed
recently. Also check subdirectories in /root for similar changes.
3. 'rpm -Va > /tmp/files.to.check' and see what stuff has been messed
with. NOTE: Depending on how much is installed, this command may take
several minutes to complete. Use that time to read the 'rpm' man page
so that you can understand the output - look under 'VERIFICATION'.
NOTE: It is normal to see a number of files altered - usually file
ownership and mode.
4. 'find / -mtime -X -exec ls -ld {} \; > /tmp/recent.files' where 'X'
is one digit higher than the number of days you have had this problem,
What has been changed?
5. Do you have any security extensions (SELinux) running?

If you can not login as a regular user and 'su', try coming in via SSH
and performing the commands noted above. If that doesn't work, try
running in single user mode (run-level 1). If that doesn't work,
restore root's home directory from the most recent backup made before
your cow-corker screwed up the system.

NOTE: Read the man pages for every command I've specified BEFORE using
the command so that you understand the command and options I've shown.

Old guy

Moe Trin wrote:
> On Thu, 06 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
> <1189104898.984110.53080@22g2000hsm.googlegroups.c om>, ianbrn@gmail.com wrote:
>
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.
>

Rubbish! Explain that!

Ottavio
http://www.pledgebank.com/boycottvista

Moe Trin wrote:
> NOTE: Posting from groups.google.com (or some web-forums) dramatically
> reduces the chance of your post being seen. Find a real news server.

Ottavio writes:
> Rubbish!

Not rubbish. Fact.

> Explain that!

Many of the people most likely to give a useful answer to your question
killfile everything originating from Google Groups due to the large amount
of spam posted from there.
--
John Hasler
john@dhh.gt.org
Dancing Horse Hill
Elmwood, WI USA

On Sat, 08 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
<1189262638.451104.279530@o80g2000hse.googlegroups .com>, Ottavio Caruso wrote:

NOTE: Posting from groups.google.com (or some web-forums) dramatically
reduces the chance of your post being seen. Find a real news server.

>Moe Trin wrote:
>> On Thu, 06 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
>> <1189104898.984110.53080@22g2000hsm.googlegroups.c om>, ianbrn@gmail.com
wrote:
>>
>> NOTE: Posting from groups.google.com (or some web-forums) dramatically
>> reduces the chance of your post being seen. Find a real news server.

My news reader is configured to include that note when I respond to a
Usenet article posted from groups.google.com.

>Rubbish! Explain that!

1. Point your browser at this group, and read the article "A new reader?
Welcome to comp.os.linux.setup, read this first if you're new here (FAQ)"
specifically section 'iv)'.
2. Point your browser at the Usenet newsgroup 'comp.os.linux.misc' and
note the ~120 articles posted between ~14:00 UTC Friday and ~14:00 UTC
Saturday. I don't know about you, but I fail to see where advertisements
for athletic shoes, pr0n sites, and windoze viruses are exactly related
to Linux.
3. Point your browser at the Usenet newsgroup 'news.software.readers' and
note the discussions there relating to groups.google.com.
4. Point your browser at the Usenet newsgroup 'alt.os.linux' and note the
discussions there relating to groups.google.com.

You are entitled to your own opinion. _ALL_ complaints to
'groups-abuse@google.com' are answered by an ignore-bot, and the abuse
continues. Now, I could (and did) insert rules into my news reader
killfile to block that trash - and the rules got rather excessive.

compton ~]$ grep -vE '^([%\[ ]|Score|$)' /var/spool/slrnpull/score |
cut -d' ' -f1 | sort | uniq -c | column
896 From: 7 Message-ID: 79 Xref:
2 Lines: 282 Subject: 2 ~Subject:
[compton ~]$

So, like many, I've replaced a bunch of rules for the comp.os.linux.misc
newsgroup with one:

Message-ID: googlegroups.com

with the result

comp.os.linux.misc: 110/110 (47 killed)

That was what the download looked like at 14:02 UTC Saturday. You may
find different results. Some have gone so far as to make that a blanket
rule applying to all groups. In my case, I'm only applying the rule to
six groups (out of the 84 I try to at least scan daily). You seem to be
posting from IP space owned by Demon Internet, and they even have their
own news server. For others who aren't as lucky, there are free (as in
"no cost") news servers with better abuse control than google, as well
as a large number of low cost commercial news servers. A fair number
of them even offer 'web' interface if for some bizarre reason that is
the only access you have to the Internet. It's your choice.

Old guy

I demand that Moe Trin may or may not have written...

[snip; in reply to Ottavio Caruso]
> You seem to be posting from IP space owned by Demon Internet, and they even
> have their own news server.

.... but Usenet access via Demon's server isn't listed as part of their Home
8000 offering, whereas it is for their Home/Office and Business offerings. I
have no idea whether it's actually accessible by people using Home 8000,
though.

[snip]
--
| Darren Salt | linux or ds at | nr. Ashington, | Toon
| RISC OS, Linux | youmustbejoking,demon,co,uk | Northumberland | Army
| Let's keep the pound sterling

Someone is speaking well of you. How unusual!

On 2007-09-08, Ottavio Caruso <pr0f3ss0r1492@yahoo.com> wrote:

> Moe Trin wrote:
>> On Thu, 06 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
>> <1189104898.984110.53080@22g2000hsm.googlegroups.c om>, ianbrn@gmail.com wrote:
>>
>> NOTE: Posting from groups.google.com (or some web-forums) dramatically
>> reduces the chance of your post being seen. Find a real news server.

> Rubbish! Explain that!

Google Groups has an extremely poor signal to noise ratio; a huge
proportion of the spam seen on Usenet can be traced back to Google
Groups. So much so that many people (not me, yet -- although I've been
sorely tempted many times) explicitly filter out articles originating
from Google Groups.

--

John (john@os2.dhs.org)

On Sat, 08 Sep 2007, in the Usenet newsgroup comp.os.linux.setup, in article
<4F24AE45D4%news@youmustbejoking.demon.cu.invalid> , Darren Salt wrote:

>[snip; in reply to Ottavio Caruso]
>> You seem to be posting from IP space owned by Demon Internet, and they
>> even have their own news server.
>
>... but Usenet access via Demon's server isn't listed as part of their
>Home 8000 offering, whereas it is for their Home/Office and Business
>offerings. I >have no idea whether it's actually accessible by people
>using Home 8000, though.

Some ISPs seem to think it's not important (aol.com, Bharti, Reliance,
and VSNL being examples which cause their "users" to post from google)
but even .163.net in China has a server, and I've seen it used by their
customers. None-the-less, as I continued

]] For others who aren't as lucky, there are free (as in "no cost")
]] news servers with better abuse control than google, as well as a
]] large number of low cost commercial news servers. A fair number
]] of them even offer 'web' interface if for some bizarre reason that
]] is the only access you have to the Internet.

Some of the "free" servers (and web-forums that are porting Usenet)
don't have the best reputation (and therefore may be killfiled by some),
but they are _usually_ better than google.

It doesn't have to take a lot of hardware, bandwidth, or effort to
setup and run a news server. The "official" Big Eight newsgroups
(comp.*, humanities.*, misc.*, news.*, rec.*, sci.*, soc.*, and
talk.*) only total 2276 groups as of the 15th of August (see the
post "List of Big Eight Newsgroups" posted to news.announce.newgroups,
news.groups, and news.lists.misc on the 15th of each month), and even
that list is getting smaller as the Big Eight managers are deleting
"dead" groups. Actually, one of the ISPs I have access to seems to
be carrying "anything you want - just ask for it", and the few times
I've looked at it, I think it's a *nix server running leafnode and
admin'ed by the owner's son.

Old guy

Moe Trin wrote:
>
>
> It doesn't have to take a lot of hardware, bandwidth, or effort to
> setup and run a news server.

It most certainly DOES if you are an ISP and aim to carry everything.

Last time I built one it was the most expensive server I had ever built,
and it still didn't really cope after the first 6 months. The Usenet
volume is MASSIVE, especially with binaries included.

The service is also regarded by most customers as something that ought
to come free.

Its no surprise that most ISP's simply say 'get it off Google if you
really want it'