Rejecting passwordless sensitive account ‘user’

whonix26 · November 19, 2025, 4:49am

I get this whenever I run sudo:

ERROR: Rejecting passwordless sensitive account ‘user’!
/usr/libexec/security-misc/block-unsafe-logins failed: exit code 1
sudo: PAM authentication error: Unknown error -1
sudo: a password is required

I don’t have a sysmaint account, and I can’t run sudo in my user account. What should I do? I can’t even add a password to my user account!

arraybolt3 · November 19, 2025, 5:50am

Hmm, sounds like you just found a bug in Whonix 18. The PAM module that does this was designed to prevent unforeseen sysmaint mode bypasses when user-sysmaint-split is installed, but it’s likely actively detrimental when running without user-sysmaint-split like you’re doing.

I’ll make a fix for this. In the mean time, what you can probably do is change to a TTY, then log in as account root with password changeme, and set a password for your user account from there.

(In case someone sees this and says “oh my word the default root password is changeme, this is a horrible security hole”, it’s not. Standard user accounts are prevented from running su, so the only way to use an account password to authenticate as that account is to be able to log into that account graphically or via a TTY. Malicious software shouldn’t be able to do either thanks to file permissions, so essentially using the root password requires direct access to the VM console from outside the VM. Appropriate measures should be taken on the host to keep attackers from getting VM console access. ISO images don’t have this default password set.)

Patrick · November 19, 2025, 7:29am

A fix developed by @arraybolt3 has been merged and uploaded just now.
(Don't break passwordless sudo in unrestricted admin mode · Kicksecure/security-misc@936c799 · GitHub)
Uploaded to all repositories just now.

Root account is locked by default. (Root Account Locked)
So that probably won’t work.

What can be done instead:

Boot into a recovery console may be required. → Recovery Mode
Once in recovery mode, you can use pwchange or passwd to set a password. (Temporarily - until the fix is installed.) → Passwords

(Alternatively, one could sabotage the /usr/libexec/security-misc/block-unsafe-logins script by adding exit 0 below #!/bin/bash until the fix is installed. Or by emulating the fix. This has no adverse security effects for users not using user-sysmaint-split.)

mrxmr · November 19, 2025, 8:06am

Been following whonix forum for a while recently. Does this reported
(now fixed) bug affect(-ed) Qubes-Whonix 4.3rc-3? Kinda get the
impression that even if I upgrade to Qubes 4.3rc-4 (which will be out
soon) the Whonix-18 plumbing will take a few more months to become
stable.

Patrick · November 21, 2025, 1:47pm

It might have but only if not using user-sysmaint-split and attempting to log into a virtual console. Supposedly not something most users on Qubes do.

Off-topic. Please use a separate forum thread.

whonix26 · November 25, 2025, 5:49am

Thank you! This solved the issue!

Torprotector · December 8, 2025, 11:01am

Qubes os 4.3 latest rc, installed today. Whonix-gateway18 from template manager
I cant use sudo command with any boot mode

Sysmaint session

[template gateway sysmaint ~]% sudo apt install wget
ERROR: Rejecting sysmaint account in user session!
/usr/libexec/security-misc/block-unsafe-logins failed: exit code 1
sudo: PAM authentication error: Unknown error -1
sudo: a password is required
zsh: exit 1 sudo apt install wget

Unrestricted mode

[template gateway user ~]% sudo shutdown now
zsh: permission denied: sudo
zsh: exit 126 sudo shutdown now

How to get sudo permissions?

Patrick · December 8, 2025, 2:34pm

Only Whonix-Gateway Template has this issue?

Did you apply any other changes or it is happening in a newly installed Template?

Template version?

qubes-template-whonix-gateway-18 4.3.0-202511271158 (r4.3) · Issue #6229 · QubesOS/updates-status · GitHub or?
qubes-template-whonix-gateway-18 4.3.0-202512071252 (r4.3) · Issue #6252 · QubesOS/updates-status · GitHub?

You can see installed Template version in dom0 by running:

`qvm-template`

It will be under Installed Templates.

I tested both Templates just now. I cannot reproduce this. sudo works for me inside the Qubes R4.3 Template booted into sysmaint session.

In sysmaint session, command…

cat /proc/cmdline

does also output the following at the end?

boot-role=sysmaint systemd.unit=sysmaint-boot.target

In sysmaint session, command…

PAM_SERVICE=sudo PAM_USER=sysmaint bash -x /usr/libexec/security-misc/block-unsafe-logins

[template gateway sysmaint ~]% PAM_SERVICE=sudo PAM_USER=sysmaint bash -x /usr/libexec/security-misc/block-unsafe-logins

…ends with the following output?

+ true 'INFO: Running in sysmaint session and authenticating as sysmaint account, allowing authentication to proceed.'
+ exit 0

If not, please post the output here.

Patrick · December 8, 2025, 2:45pm

Temporary, until we fix this bug, if we can reproduce it… In case you or anyone else is experiencing it, wants to investigate and and needs root, here are instructions for that: Qubes Root Console

arraybolt3 · December 9, 2025, 1:54am

I can’t reproduce the issue here on my existing Qubes R4.3 installation. However, it sounds to me like the boot mode kernel parameters aren’t being properly set up during template installation. That would likely result in the behavior you’re seeing. Will reinstall Qubes and see if I can reproduce the issue thereafter.

Edit: Tested on a fresh installation of Qubes R4.3-rc4. Cannot reproduce issue there either. Can you share exact steps for reproducing the problem?

Torprotector · December 9, 2025, 7:16am

Oh, sorry. I understand. It’s has been broken only after install LKRG inside Whonix gateway qube.

Steps: fresh Whonix template

install LKRG (via dkms and official instructions)

Reboot

Sudo not work

It’s bug? LKRG is important for better security with pvgrub2-pvh kernel (in-VM kernel)

Patrick · December 9, 2025, 7:54am

I suspect this might because by setting pvgrub2-pvh alone. I suspect LKRG has no role in this. Will be investigated soon.

Torprotector · December 9, 2025, 10:57am

I will test it today

Torprotector · December 9, 2025, 1:27pm

You’re right. Change pvgrub2-pvh to fedora kernel fixed this issue. But I think it’s bug in

arraybolt3 · December 9, 2025, 5:33pm

This isn’t a bug but a limitation in Qubes OS. Boot modes are not supported when using an in-VM kernel (i.e. when using a pvgrub-family bootloader). See:

github.com/QubesOS/qubes-issues

Enable boot mode support with in-vm kernels via pvgrub

opened 08:31PM - 28 Mar 25 UTC

ArrayBolt3

C: Xen P: default

[How to file a helpful issue](https://www.qubes-os.org/doc/issue-tracking/) ###… The problem you're addressing (if any) At the moment, the boot mode features in Qubes OS only work when using a dom0-provided kernel. Whonix eventually would like to migrate to using an in-VM kernel, but also will depend on boot mode support soon (experimental builds already depend on it). We need some way of passing kernel parameters from boot modes to VMs even when using an in-VM kernel. ### The solution you'd like The current idea for how to do this is to use pvgrub2, which may be able to take input from dom0 (like kernel parameters destined for the in-VM kernel) and use that input at boot time. Ideally, all that would be necessary at that point would be to change the libvirt template in qubes-core-admin so that it would set a kernel command line for pvgrub2. pvgrub2 would then append (some of?) the boot options passed to it to the kernel command line when booting a qube. ### The value to a user and who that user might be Full support for user-sysmaint-split and boot modes for Whonix users, even when using the in-vm kernel for better security hardening. ### Completion criteria checklist (This section is for developer use only. Please do not modify it.)

Note that there is ongoing work to make boot modes work with pvgrub, but it’s not complete yet. See:

github.com/QubesOS/qubes-linux-pvgrub2

Add Xen command line parsing

main ← ArrayBolt3:main

opened 02:36AM - 01 Apr 25 UTC

ArrayBolt3

+566 -0

Enable GRUB to parse the Xen command line for parameters, and expose those param…eters to the GRUB config file (or rescue shell) as environment variables. The way this works is pretty simple: * When booting in PVH mode, grab the command line passed by Xen and copy it into the `start_info` struct pointed to by `grub_xen_start_page_addr`. (In PV mode, this struct has the command line pre-populated (by the hypervisor?), in PVH mode it has to be manually populated.) * Before parsing the GRUB configuration (or dropping to a rescue shell), parse the command line: * Break apart the command line into words, using spaces as the separator. Quotes (both single and double) can be used to suppress splitting, and backslashes can be used to escape characters. * For each word: * If the word contains an `=`, split the word on the first = sign. Export an environment variable with the name set to the word portion on left of the sign, and the value set to the word portion to the right of the sign. * Otherwise, export an environment variable with the name set to the word, and the value set to `1`. Submitting this for preliminary review, I still have some doubts and concerns about how this is done, namely: * I'm assuming that the command line pointed to by `pvh_start_info->cmdline_paddr` will not be any larger than `grub_xen_start_page_addr->cmd_line` variable. The latter is hard-coded to 1024 bytes, but the size of the string pointed to by the former doesn't appear to be defined. I should dig into Xen and make sure the command line will never exceed 1024 bytes (including the terminating `\0`), otherwise this could lead to some "fun" buffer overflows. * `pvh_start_info->cmdline_paddr` is a *physical* address (because of course it is, the hypervisor isn't about to mess with the page tables of the guest). The `grub_strcpy` call I do to copy its contents into `grub_xen_start_page_addr->cmd_line` therefore assumes paging is disabled (or the page(s) containing the command line are identity-mapped) at the time of copying. It also assumes that paging will still be disabled (or that the page(s) containing `grub_xen_start_page_addr->cmd_line` will be identity-mapped) by the time it's used during config parsing, since at best we're copying from a physical address to another physical address here. I tested this in a PVH VM and it *seems* to work without issues, but seeming to work and actually working are two very different things. I haven't done a deep-dive of when paging is and isn't used in GRUB yet, but it looks to me like some parts use it and some parts don't, so this is playing with fire. * Every single parameter passed from Xen to GRUB will end up an environment variable used when parsing the config file. This means that if in the future we ever want to pass parameters to GRUB on the Xen command line that do something other than set environment variables, the API will have to be broken. That might not be good. Changing this is pretty trivial given the way that I parse the command line. * No sanitization of variable names or values is done, arbitrary binary garbage (other than NUL of course) can go in both environment variable names and values. That's probably bad. How exactly should sanitization work though, do we just reject anything other than 7-bit ASCII, or are there scenarios where Unicode might legitimately be used here? * This hasn't been tested super thoroughly yet.

That’s the part that’s already done, but there’s still quite a bit more that needs to be done to get the feature fully working.

Torprotector · December 9, 2025, 6:02pm

It’s all working really weird. When running with pvgrub2-pvh, there are three modes to choose from. I disable pvgrub2-pvh and used the dom0 kernel. As a result, I can’t select modes anymore, only the standard user mode, with sudo privileges on list. I deleted the template, downloaded it again, and won’t experiment with it anymore, otherwise it might break.

arraybolt3 · December 9, 2025, 11:48pm

That will happen if you successfully boot the template in “unrestricted mode”. That mode actually uninstalls user-sysmaint-split. If you do this in an AppVM, the changes don’t persist after a reboot, but if you do it to a template, the changes will persist after a reboot. You can fix that by running sudo apt install user-sysmaint-split.

It might be a good idea for us to mark that boot mode in some way so that it’s obvious it’s dangerous to use in a template.

Torprotector · December 10, 2025, 8:58pm

I apologize for wasting your time. It seems this was either a mistake on my part or a coincidence. I was unable to reproduce the problem by repeating all the steps that led to it last time.

arraybolt3 · December 11, 2025, 12:40am

Don’t be sorry, you helped us realize something important with the “UNRESTRICTED Admin” mode. Thank you!