Pam_cracklib Passwd Authentication Token Manipulation Error
Contents |
here for a quick overview of the site Help Center Detailed answers to any questions you might have Meta Discuss the workings and policies of this site About Us Learn more about Stack passwd authentication token manipulation error linux Overflow the company Business Learn more about hiring developers or posting ads with us Unix passwd authentication token manipulation error redhat 6 & Linux Questions Tags Users Badges Unanswered Ask Question _ Unix & Linux Stack Exchange is a question and answer site for passwd authentication token manipulation error centos users of Linux, FreeBSD and other Un*x-like operating systems. Join them; it only takes a minute: Sign up Here's how it works: Anybody can ask a question Anybody can answer The best answers are voted up passwd authentication token manipulation error centos 7 and rise to the top Avoid “Authentication token manipulation error” on password change up vote 4 down vote favorite 2 I'm implementing a security policy that will force the users to introduce stricter passwords when they change their own: The /etc/pam.d/passwd configuration file is: #%PAM-1.0 auth include common-auth account include common-account password include common-password session include common-session So, I made changes in this file /etc/pam.d/common-password. The default common-password file comes with this two lines:
(current) Unix Password Passwd Authentication Token Manipulation Error
password requisite pam_pwcheck.so nullok cracklib password required pam_unix2.so use_authtok nullok I need to add several options to the pam_pwcheck (no problem with that) and another PAM module (pam_cracklib) to make the passwords stronger. Next, it is my final /etc/pam.d/common-password file, included from passwd: password requisite pam_cracklib.so minclass=3 retry=3 password requisite pam_pwcheck.so nullok cracklib minlen=10 remember=5 password required pam_unix2.so use_authtok nullok My problem occurs when I have both PAM modules configured: if I introduce a correct password, it works fine. If I introduce a bad password that must be rejected by pam_cracklib (for example, a password with only lower case letters), it works fine (rejects the password without problem). But when I introduce a password that is valid for cracklib but not for pwcheck (a password with upper case, lower case and numbers of 7 characters length), it rejects the password, but this error is shown: Bad password: too short passwd: Authentication token manipulation error So, pam_pwcheck print its error message (Bad password: too short), but something bad happens with the PAM chain. Do you know what is wrong in my configuration? P.S. The "security" requirements are not mine at all, so please, avoid comments on it ;-). security password pam share|improve this question edited Jun 20 '13 at 17:31 slm♦ 166k40305474 asked Jun 20 '13 at 13:55
Date: Mon, 27 Mar 2006 16:24:54 +0200 Hello, I've got the following situation: The 6000 accounts of our eMail-server are stored
Passwd Authentication Token Manipulation Error Centos 6
in /etc/passwd resp. /etc/shadow. To change their passwords, the users passwd: authentication token manipulation error suse use a ssh-session. The only object of the ssh-session is to change a users password, therefore authentication token manipulation error raspberry pi the loginshell is /usr/bin/passwd. To avoid attacks on the ssh-daemon, we only want a seperate web-server with a little php-web-page to open the ssh-session. I http://unix.stackexchange.com/questions/80138/avoid-authentication-token-manipulation-error-on-password-change use apache/php with a php-module called php-ssh2 and a library called libssh2 to establish the ssh-session. This works fine, until it comes to the point, where the old password is sent to /usr/bin/passwd. I get the following screen in /var/log/messages: sshd[]: pam_unix2: pam_sm_authenticate() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS https://www.redhat.com/archives/pam-list/2006-March/msg00017.html sshd[]: pam_unix2: pam_sm_acct_mgmt() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: expire() returned with 0 sshd[]: Accepted password for dummy from 192.168.136.50 port 6235 ssh2 sshd[]: pam_unix2: session started for user dummy, service sshd sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCES -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred() called sshd[]: pam_unix2: username=[dummy] sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCESS sshd[]: pam_unix2: session finished for user dummy, service sshd -passwd[]: pam_unix2: pam_sm_chauthtok() called -passwd[]: pam_unix2: username=[dummy] -passwd[]: User dummy: Authentication token manipulation error -passwd[]: password change failed, pam error 20 - account=dummy, uid=1000, by=1000 If I use some other tools like gnu-ssh or putty, it all works very well. Is there a difference between the two methods gnu-ssh and PHP-script, which /usr/bin/passwd recognizes, e.g. keyboard-interactive vs. tunneled-cleartext? I think of this, because I had to change some settings in /etc/ssh/sshd-config, to enable tunneled-cleartext authentication: PasswordAuthentication yes enable or disable following in
Recommended Links Selected PAM Modules strace Reference Linux PAM Solaris PAM PAM wheel SecurID Humor Etc This nasty Suse and Red Hat error actually can have different (and sometimes multiple) http://www.softpanorama.org/Authentication/Troubleshooting/authentication_token_manipulation_error.shtml reasons. It does not prevent successful authentication, but makes changing password via https://mohammednv.wordpress.com/2008/01/08/authentication-token-manipulation-error-when-changing-user-passwords-in-linux/ passwd impossible. You still can "implant" password from the other server in /etc/shadow file manually to bypass the error (servers should have identical encryption method set). Often this error arise due to problems with shadow file. For example shadow password file doesn’t have entry for this user. i.e, /etc/passwd has authentication token an entry for this user, but /etc/shadow doesn’t. The checklist below might help to structure your troubleshooting efforts. Checklist the "Authentication token manipulation error" Is this problem for a particular account or all accounts including root. Are you using something like NIS or LDAP? Try grep passwd /etc/nsswitch.conf Running system-config-authentication you can configure the pam settings for the files located in /etc/pam.d. authentication token manipulation Does the user exists in /etc/passwd and /etc/shadow. Are attributes of those files correct. Should be: /etc/passwd root.root -rw-r--r-- /etc/shadow root.root -r-------- Check if the passwd command has the SUID bit enabled and it's owned by root.root. Check integrity of package which contains passwd. rpm -qf passwd pwdutils-3.0.7.1-17.24 rpm -V pwdutils Are records for the user valid (many be accidentally corrupted by manual editing, extra or missing colon is pretty common problem in this case). If passwd and group file were copied from other server, often shadow and gshadow files are not in sync. Try to delete and re-create user records using useradd to make sure that all account records are in sync and valid. Are permissions on /etc/passwd and /etc/shadow correct Were PAM configuration changed ? What are exact messages in /etc/log/messages. Get strace for the problematic system and strace both for the same user on the system that works OK and has the same PAM configuration. Compare failed and successful straces and find the point at which they diverge. Add debug option to relevant modules in PAM and see if they will
Wayanad;) Mohammedz.com For Linux and Shell scripting. Authentication Token Manipulation Error when Changing User Passwords inLinux January 8, 2008 by Mohammed 38 Comments You may get an error, such as Authentication Token Manipulation Error, while trying to change passwords for a user. For example: #passwd userAuthentication Token Manipulation Error# This error is being produced because you are using shadowed password files and the shadow doesn't have entry for this user. i.e, /etc/passwd has an entry for this user, but /etc/shadow doesn't. In order to resolve this, you can either add the entry manually or recreate the shadow file. You can use pwconv to recreate the shadow file. See the manpage for more details on this. Share this:FacebookLinkedInGoogleEmailPrintLike this:Like Loading... Related Categories: Linux | Permalink. 38 thoughts on “Authentication Token Manipulation Error when Changing User Passwords inLinux” Leave a comment mohammednv February 6, 2008 at 3:50 pm Here is another situation where I noticed this error. I was using PAM and the command "chage -d 0 username" to force the user "username" to change his/her password at his first log on. Actually, what I am going to mention here is *not* an error, but a mistake from my side. When you use PAM and the above command it will ask for the present password twice. First one as usual, and second time when you are being forced for the password change. When I entered the first one correctly and the second one wrongly, I got this error. [abdurahiman@239 ~]$ ssh test1@192.168.1.40 test1@192.168.1.40‘s password: You are required to change your password immediately (root enforced) WARNING: Your password has expired. You must change your password now and login again! Changing password for user test1. Changing password for test1 (current) UNIX password: passwd: Authentication token manipulation error Connection to 192.168.1.40 closed. [abdurahiman@239 ~]$ You won't get this error if you enter the password carefully😉. Regards, Mohammed. Reply Git November 17, 2013 at 2:17 am Any idea how to rectify the above error. I am trying to do ssh to another server. but got the same above error Reply Mohammed