Sudo fails without prompting for password

A recent kernel update broke my system. I found a workaround by upgrading the kernel to latest (6.6.2). But, when I change the kernel version, sudo (and su for that matter) are broken. They will fail instantly without asking for password, logging that all three tries have failed for sudo.

Currently, I only see one option which would be to set my kernel version to the last working version which is 6.1.55. But I don’t know how to do it.

What could be the cause of this and how can I fix it ?

After a bit of looking around, I found that /etc/pam.d/sudo and /etc/pam.d/su were both empty after nixos-rebuild. It looks like something in the config file is wiping those files. I haven’t check for all the pam.d/* files yet. But this is definitly not normal ! For now, as a workaround, I writing the config file by hand in my configuration.nix file by copying the previous values. I’ll post an update on what I have done exactly tomorrow.

I’ll post a link to the issue I opened on github which has a fix for this bug. Even though, it is not meant to be permanent.

I’ll add that any new generation after the kernel upgrade will wipe those files, so this seems like an issue with NixOS. I highly doubt that my config file is in cause because I did not mess with sudo in any way. I’m wondering if everyone has those files in their system though, even if I’m pretty sure everyone does.

Issue : Upgrading the kernel wipes sudo and su pam.d files · Issue #270373 · NixOS/nixpkgs · GitHub

i can’t reproduce your bug.
/etc/pam.d/su /etc/pam.d/sudo are not empty.

config ?
logs ?

Having built thousands of generations over the years with workstations tracking unstable and servers on whatever is the current stable - and having built latest unstable just now, I have neither seen empty /etc/pam.d/* files nor heard anyone mention that. This is either a misconfiguration on your part or faulty hardware.

Edit : config file

# Edit this configuration file to define what should be installed on
# your system.  Help is available in the configuration.nix(5) man page
# and in the NixOS manual (accessible by running ‘nixos-help’).

{ config, pkgs, inputs, ... }:

  imports =
    [ # Include the results of the hardware scan.

  # Bootloader.
  boot.loader.systemd-boot.enable = true;
  boot.loader.efi.canTouchEfiVariables = true;
  boot.kernelPackages = pkgs.linuxPackages_latest;

  networking.hostName = "nixos"; # Define your hostname.
  # networking.wireless.enable = true;  # Enables wireless support via wpa_supplicant.

  # Configure network proxy if necessary
  # networking.proxy.default = "http://user:password@proxy:port/";
  # networking.proxy.noProxy = ",localhost,internal.domain";

  # Enable networking
  networking.networkmanager.enable = true;

  # Set your time zone.
  time.timeZone = "Europe/Paris";

  # Select internationalisation properties.
  i18n.defaultLocale = "fr_FR.UTF-8";

  i18n.extraLocaleSettings = {
    LC_ADDRESS = "fr_FR.UTF-8";
    LC_MONETARY = "fr_FR.UTF-8";
    LC_NAME = "fr_FR.UTF-8";
    LC_NUMERIC = "fr_FR.UTF-8";
    LC_PAPER = "fr_FR.UTF-8";
    LC_TELEPHONE = "fr_FR.UTF-8";
    LC_TIME = "fr_FR.UTF-8";

  # Enable the X11 windowing system.
  services.xserver.enable = true;

  # Enable the KDE Plasma Desktop Environment.
  services.xserver.displayManager.sddm.enable = true;
  services.xserver.desktopManager.plasma5.enable = true;

  # Configure keymap in X11
  services.xserver = {
    layout = "fr";
    xkbVariant = "";

  # Configure console keymap
  console.keyMap = "fr";

  # Enable CUPS to print documents.
  services.printing.enable = true;

  # Enable sound with pipewire.
  sound.enable = true;
  hardware.pulseaudio.enable = false;
  security.rtkit.enable = true;
  services.pipewire = {
    enable = true;
    alsa.enable = true;
    alsa.support32Bit = true;
    pulse.enable = true;
    # If you want to use JACK applications, uncomment this
    #jack.enable = true;

    # use the example session manager (no others are packaged yet so this is enabled by default,
    # no need to redefine it in your config for now)
    #media-session.enable = true;

  # Enable bluetooth
  hardware.bluetooth.enable = true;
  hardware.bluetooth.powerOnBoot = true;
  services.blueman.enable = true;  
  environment.etc = {
      "wireplumber/bluetooth.lua.d/51-bluez-config.lua".text = '' = {
	    ["bluez5.enable-sbc-xq"] = true,
	    ["bluez5.enable-msbc"] = true,
	    ["bluez5.enable-hw-volume"] = true,
	    ["bluez5.headset-roles"] = "[ hsp_hs hsp_ag hfp_hf hfp_ag ]"

  # Enable touchpad support (enabled default in most desktopManager).
  # services.xserver.libinput.enable = true;

  # Overlays
  nixpkgs.overlays = [
    (self: super: {
      waybar = super.waybar.overrideAttrs (oldAttrs: {
        mesonFlags = oldAttrs.mesonFlags ++ [ "-Dexperimental=true" ];

  # Define a user account. Don't forget to set a password with ‘passwd’.
  users.users.redcode = {
    isNormalUser = true;
    description = "Dan Liebault";
    extraGroups = [ "networkmanager" "wheel" ];
    packages = with pkgs; [

  # Allow unfree packages
  nixpkgs.config.allowUnfree = true;

  # Allow insecure
  nixpkgs.config.permittedInsecurePackages = [

  # Allow unstable
  nixpkgs.config.packageOverrides = pkgs: {
    unstable = import <nixos-unstable> {
      config = config.nixpkgs.config;

  # List packages installed in system profile. To search, run:
  # $ nix search wget
  environment.systemPackages = with pkgs; [
    # desktop/utils
    pavucontrol # audio

    # system

    # networking

    # apps

    # tools

  #programs.waybar.package = inputs.hyprland.packages.${pkgs.system}.waybar-hyprland;

  # Some programs need SUID wrappers, can be configured further or are
  # started in user sessions.
  # = true;
  # programs.gnupg.agent = {
  #   enable = true;
  #   enableSSHSupport = true;
  # };
  programs.hyprland = {
    enable = true;
    nvidiaPatches = true;
    xwayland = {
      enable = true;

  fonts.fonts = with pkgs; [

  xdg.portal = {
    enable = true;
    wlr.enable = true;

  xdg.portal.extraPortals = with pkgs; [

  environment.sessionVariables = {
    NIXOS_OZONE_WL = "1";

  # List services that you want to enable:

  # Enable the OpenSSH daemon.
  # services.openssh.enable = true;

  # Open ports in the firewall.
  # networking.firewall.allowedTCPPorts = [ ... ];
  # networking.firewall.allowedUDPPorts = [ ... ];
  # Or disable the firewall altogether.
  # networking.firewall.enable = false;

  # This value determines the NixOS release from which the default
  # settings for stateful data, like file locations and database versions
  # on your system were taken. It‘s perfectly fine and recommended to leave
  # this value at the release version of the first install of this system.
  # Before changing this value read the documentation for this option
  # (e.g. man configuration.nix or on
  system.stateVersion = "23.05"; # Did you read the comment?


you can check your hardware with tools like memtest(ram) and smartmontools(hdd).
strip your configuration.nix file to the minimum, you can use /* */ commentary and/or # ,
then re-add one config option at a time.

If your system config is done as a flake, you can also try this:

  cd $where_your_config_is
  nix repl
  # Then inside the repl, load the flake config
  :lf .
  # this should give you null. If you have an empty string instead, you know something is messing with it
  # this should give you a derivation - not the same path as me
  «derivation /nix/store/y8zw8708p64f579kz6pfi0bfszhnl419-su.pam.drv»
  # now take a look at it outside the repl
  cat /nix/store/y8zw8708p64f579kz6pfi0bfszhnl419-su.pam.drv
  # a look for the filename following "out" and cat that:
  cat /nix/store/12wav088kp22snm01wc4pbkbfy27mfz4-su.pam

If the last file has (correct) data, it’s something to do with the activation scripts.

1 Like

You are not configuring sudo, so that’s why it doesn’t work.

  security.sudo.enable = true;

I already tried this before. It doesn’t resolve the issue. Besides, it was working prior the kernel upgrade without the need to explicit sudo and the problem doesn’t only comes from sudo but also from su.