Pam_get_authtok_verify Returned Error Failed Preliminary Check By Password Service
Contents |
by: [ date ] [ thread ] [ pam_sss(passwd:chauthtok): authentication failed for user subject ] [ author ] greetings, I am pam_unix passwd chauthtok password changed for root setting up Centos 6 i686 remotely, on a new VPS. A problem I pam_unix(passwd:chauthtok): user does not exist in /etc/passwd have is that I cannot set password for new users. I have created one with useradd -m new_user but when I type
Passwd Authentication Token Manipulation Error Centos 6
passwd new_user this is the result: [root at vps ~]# passwd new_user Changing password for user new_user New password: Retype new password: passwd: Authentication token manipulation error [root at vps ~]# tail /var/log/secure Sep 27 17:30:30 vps passwd: pam_cracklib(passwd:chauthtok): pam_get_authtok_verify returned error: Failed authentication token manipulation error redhat preliminary check by password service but I have no clue what the check I've failed is, or if it's a console problem (locales, weird control characters) or maybe a selinux thing? For the record, if I enter a weak password on purpose, e.g. "amok", everything works, meaning that I get an explanation like "password refused because it's too short", or something like that. But when I try longer passwords, with or without non alphanumeric characters, I get this error. what else should I check, or fix? TIA, Marco Previous message: [CentOS] CentOS-announce Digest, Vol 79, Issue 9 Next message: [CentOS] passwd problem with new vps Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] More information about the CentOS mailing list
manipulation error Date: Thu, 03 May 2001 16:06:47 EDT I'm in the process of migrating a system running HP-UX 10.10 to Red Hat 7.0 and when I moved the unshadowed http://www.redhat.com/archives/pam-list/2001-May/msg00004.html HP-UX /etc/passwd file over, I found that my users could then log http://www.cnblogs.com/createyuan/p/4779011.html into their new accounts, that the transferred passwd file allows them access to the account on the new machine but that they cannot change their passwords. They get this message: passwd:authentication token manipulation error The PAM-Linux configuration is the Red Hat default (I certainly haven't messed with it). Here are authentication token the contents of /etc/pam.d/passwd: #%PAM-1.0 auth required /lib/security/pam_stack.so debug service=system-auth account required /lib/security/pam_stack.so debug service=system-auth password required /lib/security/pam_stack.so debug service=system-auth Here are the contents of /etc/pam.d/system-auth (with debug and audit parameters newly introduded by me): #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. auth sufficient /lib/security/pam_unix.so debug audit likeauth nullok md5 shadow authentication token manipulation auth required /lib/security/pam_deny.so account sufficient /lib/security/pam_unix.so debug audit account required /lib/security/pam_deny.so password required /lib/security/pam_cracklib.so debug retry=3 password sufficient /lib/security/pam_unix.so debug audit nullok use_authtok md5 shadow password required /lib/security/pam_deny.so session required /lib/security/pam_limits.so session required /lib/security/pam_unix.so debug audit Appended are the relevent lines of /var/log/secure after the debug and audit parameters were added. Two attempts are logged. The first by the user (fjaumott) trying to change her own password, the second one by root intending to change it for her. If anyone could help me understand what's going and make a recommendation, I'd be grateful. I've been reading the PAM documentation but I'm still clueless. Thanks. Peter Brown /var/log/secure: May 3 11:28:01 net-36778 pam_stack[19725]: called from "passwd" May 3 11:28:01 net-36778 pam_stack[19725]: initializing May 3 11:28:01 net-36778 pam_stack[19725]: creating environment May 3 11:28:01 net-36778 pam_stack[19725]: setting item PAM_SERVICE to "passwd" May 3 11:28:01 net-36778 pam_stack[19725]: setting item PAM_USER to "fjaumott" May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_TTY is NULL May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_RHOST is NULL May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_RUSER is NULL May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_USER_PROMPT is NULL
Control-flag Module-path Module-arguments 其中每行代表一个独立的验证方式,每个配置文件可以由多种验证规则相互叠加而成。验证时PAM-API会按照从上往下的方式一一读取这些验证规则,并根据其中的控制标志做出相应的动作。required 某个失败,继续往下,直到所有完成后。requisite 某个失败,所有结束sufficient 某个成功,所有结束 验证服务模块-用于授予用户访问帐户或服务的权限。提供此服务的模块可以验证用户并设置用户凭证。 帐户管理模块-用于确定当前用户的帐户是否有效。提供此服务的模块可以检查口令或帐户的失效期以及限时访问。 会话管理模块-用于设置和终止登录会话。 口令管理模块-用于强制实施口令强度规则并执行验证令牌更新。[root@84-monitor pam.d]# cat sshd#%PAM-1.0auth required pam_sepermit.soauth include password-authaccount required pam_nologin.soaccount include password-authpassword include password-auth# pam_selinux.so close should be the first session rulesession required pam_selinux.so closesession required pam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession required pam_selinux.so open env_paramssession optional pam_keyinit.so force revokesession include password-auth[root@84-monitor pam.d]# cat password-auth-ac#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth required pam_env.soauth sufficient pam_unix.so nullok try_first_passauth requisite pam_succeed_if.so uid >= 500 quietauth required pam_deny.soaccount required pam_unix.soaccount sufficient pam_localuser.soaccount sufficient pam_succeed_if.so uid < 500 quietaccount required pam_permit.sopassword requisite pam_cracklib.so try_first_pass retry=3 type=password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtokpassword required pam_deny.sosession optional pam_keyinit.so revokesession required pam_limits.sosession [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsession required pam_unix.so[root@84-monitor pam.d]# cat login#%PAM-1.0auth [user