Resolving “chsh: PAM Authentication Failed” When Changing Default Shell in Linux


3 views

When attempting to change my default shell using chsh -s /bin/zsh as root, I encountered the frustrating PAM authentication failed error. This occurred despite having proper sudo privileges and zsh listed in /etc/shells.

First, let's examine the key configuration files involved:

# /etc/pam.d/chsh contents:
#
# The PAM configuration file for the Shadow chsh' service
#
auth       required   pam_shells.so
auth       sufficient pam_rootok.so
@include common-auth
@include common-account
@include common-session

Several factors could trigger this error:

1. Missing shell in /etc/shells
2. Corrupted PAM configuration
3. SELinux/AppArmor restrictions
4. Incorrect /etc/passwd entry format

After thorough investigation, I discovered my /etc/passwd entry had become malformed from a previous chsh -s zsh attempt (without full path):

# Before (incorrect):
root:x:0:0:root:/root:zsh

# After correction:
root:x:0:0:root:/root:/bin/zsh

If manual /etc/passwd editing isn't preferred, try these methods:

# Method 1: Use usermod
sudo usermod -s /bin/zsh $(whoami)

# Method 2: Verify PAM debugging
sudo chsh -v -s /bin/zsh

# Method 3: Check PAM logs
journalctl -xe | grep pam

To avoid similar issues:

1. Always use full paths with chsh
2. Verify shell exists in /etc/shells
3. For root changes, consider:
   sudo chsh -s /bin/zsh root
4. Validate changes with:
   grep ^$(whoami) /etc/passwd

I recently encountered a frustrating issue when trying to change my default shell to zsh as root user. Despite having all the correct configurations, chsh -s /bin/zsh kept throwing the "PAM authentication failed" error. Here's how I investigated and solved the problem.

First, I checked the PAM configuration file for chsh (/etc/pam.d/chsh):

#
# The PAM configuration file for the Shadow chsh' service
#

# This will not allow a user to change their shell unless
# their current one is listed in /etc/shells.
auth       required   pam_shells.so

# This allows root to change user shell without being
# prompted for a password
auth            sufficient      pam_rootok.so

# Standard Unix authentication modules
@include common-auth
@include common-account
@include common-session

I then confirmed that zsh was listed in /etc/shells:

# /etc/shells: valid login shells
/bin/sh
/bin/dash
/bin/bash
/bin/rbash
/usr/bin/tmux
/usr/bin/screen
/bin/zsh
/usr/bin/zsh

After digging deeper, I realized the issue stemmed from a previous shell change attempt using:

chsh -s zsh

This had modified my /etc/passwd entry to:

root:x:0:0:root:/root:zsh

The problem was that chsh was now interpreting this as an invalid shell path and triggering PAM authentication, even for root.

I resolved this by directly editing /etc/passwd to specify the full path:

# Use vipw for safe editing or:
sudo nano /etc/passwd

# Change from:
root:x:0:0:root:/root:zsh

# To:
root:x:0:0:root:/root:/bin/zsh

For those who prefer not to edit /etc/passwd directly, here are other approaches:

# Method 1: Use usermod
sudo usermod -s /bin/zsh root

# Method 2: Temporary fix for testing
sudo ln -s /bin/zsh /usr/bin/zsh
chsh -s /bin/zsh

To avoid this problem:

  • Always use full paths when changing shells
  • Verify shell changes with getent passwd $USER
  • Consider using which zsh to find the correct path first