Users trying to change their own password are (regardless of their chosen new password) confronted with an error due to cracklib being used for pam. The error varies from either a "too short" word, or dictionary word. After the attempt to change their password users cannot log in again. Root can change the passwords "almost" without problems. On one machine root's password possibly became currupted in the process, dissallowing login at all. The "solution" was to comment out the lines: #password required /lib/security/pam_cracklib.so retry=3 #password sufficient /lib/security/pam_unix.so nullok md5 shadow use_authtok #password required /lib/security/pam_deny.so in /etc/pam.d/system-auth, replacing it with: password required /lib/security/pam_unix.so nullok md5 shadow This is simply a work-around for the bug it seems. Now new passwords are not checked against dictionary words or length. Reproducible: Always Steps to Reproduce: 1. As user, try change password (`passwd`) Actual Results: Changing password for testuser (current) UNIX password: New UNIX password: BAD PASSWORD: it is based on a dictionary word New UNIX password: BAD PASSWORD: it is based on a dictionary word New UNIX password: BAD PASSWORD: it is based on a dictionary word passwd: Authentication token manipulation error Expected Results: Changing password for testuser (current) UNIX password: Enter new UNIX password: Retype new UNIX password: passwd: password updated successfully Portage 2.0.51-r3 (default-linux/x86/2004.0, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.6.8.1 i686) ================================================================= System uname: 2.6.8.1 i686 AMD Duron(tm) Processor Gentoo Base System version 1.4.16 distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled] ccache version 2.3 [enabled] Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.14.90.0.8-r1 Headers: sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r5 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-march=k6 -mmmx -O2 -mcpu=i686 -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-march=k6 -mmmx -O2 -mcpu=i686 -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distcc distlocks sandbox sfperms" GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/" MAKEOPTS="-j4" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="apache2 apm avi berkdb bitmap-fonts crypt encode f77 foomaticdb fortran ftp gdbm gif gpm gtk2 imap imlib jpeg libg++ libwww mbox mikmod motif mpeg ncurses nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang spell ssl svga tcpd tiff truetype x86 xml2 xmms xv zlib"
I have a similar problem on one of my machines, but I get the "Authentication token ..." directly after issuing "passwd", it doesn't even ask for the old password: $ passwd passwd: Authentication token manipulation error This happens for ordinary users and root, I cannot change a single password with passwd. The weird thing is: Last week it worked perfectly and I cannot remember having anything changed, especially not pam, cracklib or shadow. Removing cracklib from system-auth, as suggested by Ralph, changes the problem but I still cannot change my password: $ passwd passwd: Permission denied The following packages are installed: sys-apps/shadow-4.0.5-r2 sys-libs/pam-0.77-r1 sys-libs/cracklib-2.7-r10 $ emerge info Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-hardened-r2 i686) ================================================================= System uname: 2.4.27-hardened-r2 i686 AMD Athlon(tm) XP 1800+ Gentoo Base System version 1.4.16 Autoconf: sys-devel/autoconf-2.59-r5 Automake: sys-devel/automake-1.8.5-r1 Binutils: sys-devel/binutils-2.15.90.0.1.1-r3 Headers: sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1 Libtools: sys-devel/libtool-1.5.2-r7 ACCEPT_KEYWORDS="x86" AUTOCLEAN="yes" CFLAGS="-mcpu=athlon-xp -O2 -pipe" CHOST="i686-pc-linux-gnu" COMPILER="" CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control" CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d" CXXFLAGS="-mcpu=athlon-xp -O2 -pipe" DISTDIR="/usr/portage/distfiles" FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict" GENTOO_MIRRORS="http://linux.rz.rub.de/download/gentoo-mirror" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/usr/local/portage" SYNC="rsync://linux.rz.rub.de/gentoo-portage" USE="3dnow apache2 apm berkdb bitmap-fonts crypt f77 fbcon fortran gdbm gif gtk2 imap innodb ipv6 jpeg libwww mad mbox md5sum mysql ncurses nls odbc oggvorbis pam pdflib perl png python readline sasl sftplogging skey slang spell sqlite ssl tcpd tetex x86 xml2 zlib" Does anybody have a hint for me? I'm sorry, if some important information is missing here, but I have not really much knowledge about PAM until now.
Mhmm... I re-emerged pam, shadow and cracklib (same versions, config files unchanged). It seems to work now. I don't know why, but anyway...
I re-emerged all 3 packages, and the first time around (as user) changing the password worked, however after that it was straight back to where I started. Something is still horribly wrong here. On my systems this does nt seem to be resolved in any way.
And you were not using a word based on a dictionary word I assume?
having the same problem. When changing it as a user, I get an error it's based on a (reversed) dictionary word. I'm not sure if "trzbla" is in the dictionary, but not in any language I know of :) Strange detail: if I add numbers to the password like "trzbla5", it does NOT give any errors. It even updates the password. It seems cracklib is disallowing updating any password it sees as "unsafe"
sorry, just saw this bug was from 2004 :S bug came back after emerging pam-0.78-r3 and overwriting the config files with the files newly installed.
pam-0.99.8.1 has cracklib optional, and noone's going to touch the old junk. Plus, this is a feature and not a bug. Closing.