Sudo password not accepted after loading older Generation

Father2303 · June 9, 2022, 1:21pm

I’m new at NixOS and running unstable.

I made an error in my configuration.nix trying to add a drive. NixOS doesn’t boot now, because it’s waiting for the device and then goes into emergency mode.

I therefore loaded an older generation that booted fine. However, in this and all other generations my sudo password isn’t accepted anymore, so i can’t fix the mistake.

I never changed the password or did any modification of the user. I have just one User and that User has got sudo privileges.

What could be the reason for this and how do i fix it?

TLATER · June 9, 2022, 4:55pm

No clue! This might happen if you accidentally deleted some files, perhaps?

Grab your nixos ISO USB, boot into it, mount your system and use nixos-enter.

Then either use passwd <username> to change your password - since the live USB will enter your host as root, this will allow you to change the password without a challenge - or update your configuration if you use declarative user config and rebuild from there.

This wiki page describes the process in a bit more detail: Change root - NixOS Wiki

This, by the way, is also how you would fix drive configuration mistakes (or anything else that locks you out) without reverting to older generations.

Shout if you need help figuring that out. I wonder if it’s time for a simpler way to launch a rescue shell from the live USB.

Father2303 · June 9, 2022, 6:17pm

Thank you for your help and your suggestion. I eventually just
reinstalled NixOS, thankfully that’s really convenient with NixOS (i am
just coming from Arch).

I was wondering: when it entered emergency mode, i was asked for my
root password. I entered the sudo password but that didn’t allow me to
log in.

Maybe that somehow interacted with my sudo User?

TLATER · June 11, 2022, 3:54am

Hm, I don’t see how it would. For reference, root != sudo (as you’ve noticed).

At risk of completely overloading you with detail that you don’t care about, but to clarify, sudo uses this little piece of Linux permissions called “setuid”, which allows you to make a binary owned by a certain user always execute as if the user executing it was the user that owns it. In the case of sudo, it’s owned by root, and therefore sudo itself will be executed by anyone as if they were the root user.

Sudo then asks the user for their user password, to ensure that the user is actually the one running it (and to give them a chance to check for typos), and then executes whatever you want it to as root.

The emergency mode on the other hand is executed very early at boot time, even before the kernel has fully started sometimes. It’s just a shell you’re put in, provided by systemd, which in turn is the first process that runs and always executed as root. The rescue mode shell login will ask you for the password of specifically the root user, because it literally signs in as root.

Therefore, sudo ← password of user who is configured with sudo (sometimes called wheel) permissions, rescue mode ← root user password.

Besides the fact that sudo is owned by the root user, these things are completely unrelated, and the passwords used for each are disconnected. That said, the file that stores user passwords contains both passwords and lives in /etc/shadow. So if you broke your partitions sufficiently, that file may have disappeared, and you might not have had passwords anymore. Or maybe you accidentally got rid of the sudo config, or changed from ext4 to NTFS, or something like that. Hard to know without further debugging.

Also tangentially, when you first install NixOS it will ask you to set a password for the root user, which is the password used for that. Personally I typically disable that (with --no-root-passwd, which just disables root login entirely), but if you do set a root password that’s the one to sign into your rescue mode.

Father2303 · June 11, 2022, 6:54am

Thank you for the explanation. I installed NixOS with Calamares (kind
of noobish, i know ) and checked the option for “Use the same
password for the administrator account”. Therefore i was surprised that
the password wasn’t accepted. I never changed my user or the root user.

I only added a drive in configuration.nix, which was the wrong thing to
do i then realised. The system couldn’t mount it and instead of just
booting without the drive (which i thought it would in this case) it
entered emergency mode.

The right way for me was to mount the drive, then run nixos-generate-
config and then run nixos-rebuild switch.

relief-melone · September 24, 2024, 1:19pm

I had the same issue on one of my machines. Oddly enough running sudo ... did prompt me for the password which was correct but told me otherwise. However if I used su the password did get accepted and I could continue to nixos-rebuild switch from there.
I could also just reset my password passwd <username> without any problems. sudo worked again afterwards