passwd: Authentication token manipulation error using PAM RHEL
Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
passwd: Authentication token manipulation error using PAM RHEL
Whenever a relatively recently added user attempts passwd he receives the error:
"passwd: Authentication token manipulation error" when he enters his current password. Root and longer term users can change passwords without any problems.
So far I've recreated the password shadow file and made sure passwd had the correct suid
For the pam_tally2.so line, it should be "unlock_time=900". So, add the missing '=' there.
For the other line, someone stuck pam_cracklib.so before pam_passwdqc.so. So, everything after pam_cracklib.so is treated as an option for it, but nothing on the remainder of that line is a valid cracklib option. Remove the pam_cracklib.so, and you are left with the pam_passwdqc.so configuration, and those options look ok for that module.
I initiated the changes as suggested by sgrlscz but I then had some users complaining that they couldn't login and I found they were getting account lockouts after 3 failures. Is it correct to assume that their existing passwords don't meet minimum password requirements defined in the pam_passwdqc module? Is there a way I can "grandfather" in their existing passwords and/or allow them to login but force them to change upon login? Thanks.
The password settings only affect when they change passwords. It has nothing to do with the lockouts.
They are getting locked out after 3 failures because that's what you are doing with the pam_tally2 line at the top. The "deny=3" says to lock the account after 3 failed attempts (the unlock_time says to unlock the account 900 seconds later).
Thanks for the reply sgrlscz. Yes, I figured that and sorry I wasn't specific but the users are getting locked out after I make the change. At that point when they login and type their known/existing passwords the system doesn't recognize those passwords and of course after three attempts they get locked out. I thought that the pam_passwdqc module was for setting password policies but when I configure the line in question to use the pam_cracklib module instead users are able to login with their existing passwords and use passwd command without error.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.