Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 71732

Summary: passwd: Authentication token manipulation error
Product: Gentoo Linux Reporter: Ralph Slooten <axllent>
Component: [OLD] LibraryAssignee: PAM Gentoo Team (OBSOLETE) <pam-bugs+disabled>
Status: RESOLVED WORKSFORME    
Severity: normal CC: Rainmaker526, schaedpq
Priority: High    
Version: unspecified   
Hardware: x86   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Ralph Slooten 2004-11-19 00:58:44 UTC 
Users trying to change their own password are (regardless of their chosen new password) confronted with an error due to cracklib being used for pam. The error varies from either a "too short" word, or dictionary word. After the attempt to change their password users cannot log in again.

Root can change the passwords "almost" without problems. On one machine root's password possibly became currupted in the process, dissallowing login at all.

The "solution" was to comment out the lines:
#password   required    /lib/security/pam_cracklib.so retry=3
#password   sufficient  /lib/security/pam_unix.so nullok md5 shadow use_authtok
#password   required    /lib/security/pam_deny.so


in /etc/pam.d/system-auth, replacing it with:

password   required     /lib/security/pam_unix.so nullok md5 shadow

This is simply a work-around for the bug it seems. Now new passwords are not checked against dictionary words or length.

Reproducible: Always
Steps to Reproduce:
1. As user, try change password (`passwd`)
Actual Results:  
Changing password for testuser
(current) UNIX password: 
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word
New UNIX password: 
BAD PASSWORD: it is based on a dictionary word
passwd: Authentication token manipulation error

Expected Results:  
Changing password for testuser
(current) UNIX password:
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully


Portage 2.0.51-r3 (default-linux/x86/2004.0, gcc-3.3.4, glibc-2.3.4.20040808-r1,
2.6.8.1 i686)
=================================================================
System uname: 2.6.8.1 i686 AMD Duron(tm) Processor
Gentoo Base System version 1.4.16
distcc 2.16 i686-pc-linux-gnu (protocols 1 and 2) (default port 3632) [enabled]
ccache version 2.3 [enabled]
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.14.90.0.8-r1
Headers:  sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r5
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-march=k6 -mmmx -O2 -mcpu=i686 -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config
/usr/share/config /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-march=k6 -mmmx -O2 -mcpu=i686 -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distcc distlocks sandbox sfperms"
GENTOO_MIRRORS="ftp://ftp.snt.utwente.nl/pub/os/linux/gentoo/"
MAKEOPTS="-j4"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY=""
SYNC="rsync://rsync.gentoo.org/gentoo-portage"
USE="apache2 apm avi berkdb bitmap-fonts crypt encode f77 foomaticdb fortran ftp
gdbm gif gpm gtk2 imap imlib jpeg libg++ libwww mbox mikmod motif mpeg ncurses
nls oggvorbis opengl oss pam pdflib perl png python quicktime readline sdl slang
spell ssl svga tcpd tiff truetype x86 xml2 xmms xv zlib"
Comment 1 schaedpq 2004-12-07 00:01:13 UTC 
I have a similar problem on one of my machines, but I get the "Authentication token ..." directly after issuing "passwd", it doesn't even ask for the old password:
$ passwd
passwd: Authentication token manipulation error

This happens for ordinary users and root, I cannot change a single password with passwd. The weird thing is: Last week it worked perfectly and I cannot remember having anything changed, especially not pam, cracklib or shadow.

Removing cracklib from system-auth, as suggested by Ralph, changes the problem but I still cannot change my password:
$ passwd
passwd: Permission denied

The following packages are installed:
sys-apps/shadow-4.0.5-r2
sys-libs/pam-0.77-r1
sys-libs/cracklib-2.7-r10

$ emerge info
Portage 2.0.51-r3 (default-linux/x86/2004.3, gcc-3.3.4, glibc-2.3.4.20040808-r1, 2.4.27-hardened-r2 i686)
=================================================================
System uname: 2.4.27-hardened-r2 i686 AMD Athlon(tm) XP 1800+
Gentoo Base System version 1.4.16
Autoconf: sys-devel/autoconf-2.59-r5
Automake: sys-devel/automake-1.8.5-r1
Binutils: sys-devel/binutils-2.15.90.0.1.1-r3
Headers:  sys-kernel/linux-headers-2.4.19-r1,sys-kernel/linux-headers-2.4.21-r1
Libtools: sys-devel/libtool-1.5.2-r7
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CFLAGS="-mcpu=athlon-xp -O2 -pipe"
CHOST="i686-pc-linux-gnu"
COMPILER=""
CONFIG_PROTECT="/etc /usr/kde/2/share/config /usr/kde/3/share/config /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/ /var/bind /var/qmail/control"
CONFIG_PROTECT_MASK="/etc/gconf /etc/terminfo /etc/env.d"
CXXFLAGS="-mcpu=athlon-xp -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoaddcvs autoconfig ccache distlocks sandbox sfperms strict"
GENTOO_MIRRORS="http://linux.rz.rub.de/download/gentoo-mirror"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://linux.rz.rub.de/gentoo-portage"
USE="3dnow apache2 apm berkdb bitmap-fonts crypt f77 fbcon fortran gdbm gif gtk2 imap innodb ipv6 jpeg libwww mad mbox md5sum mysql ncurses nls odbc oggvorbis pam pdflib perl png python readline sasl sftplogging skey slang spell sqlite ssl tcpd tetex x86 xml2 zlib"

Does anybody have a hint for me? I'm sorry, if some important information is missing here, but I have not really much knowledge about PAM until now.
Comment 2 schaedpq 2004-12-07 01:50:45 UTC 
Mhmm... I re-emerged pam, shadow and cracklib (same versions, config files unchanged). It seems to work now. I don't know why, but anyway...
Comment 3 Ralph Slooten 2004-12-08 01:29:56 UTC 
I re-emerged all 3 packages, and the first time around (as user) changing the password worked, however after that it was straight back to where I started. Something is still horribly wrong here. On my systems this does nt seem to be resolved in any way.
Comment 4 Martin Schlemmer (RETIRED) gentoo-dev 2005-02-25 11:56:21 UTC 
And you were not using a word based on a dictionary word I assume?
Comment 5 Roel Brook 2005-10-26 19:11:26 UTC 
having the same problem.

When changing it as a user, I get an error it's based on a (reversed) dictionary
word.

I'm not sure if "trzbla" is in the dictionary, but not in any language I know of :)

Strange detail: if I add numbers to the password like "trzbla5", it does NOT
give any errors. It even updates the password. It seems cracklib is disallowing
updating any password it sees as "unsafe"
Comment 6 Roel Brook 2005-10-26 19:13:16 UTC 
sorry, just saw this bug was from 2004 :S

bug came back after emerging pam-0.78-r3 and overwriting the config files with
the files newly installed.
Comment 7 Jakub Moc (RETIRED) gentoo-dev 2007-09-14 12:13:38 UTC 
pam-0.99.8.1 has cracklib optional, and noone's going to touch the old junk. Plus, this is a feature and not a bug. 

Closing.