I'm in the process of migrating a system running HP-UX 10.10 to Red Hat 7.0
and when I moved the unshadowed HP-UX /etc/passwd file over, I found that
my users could then log into their new accounts, that the transferred
passwd file allows them access to the account on the new machine but
that they cannot change their passwords. They get this message:
passwd:authentication token manipulation error
The PAM-Linux configuration is the Red Hat default (I certainly
haven't messed with it). Here are the contents of /etc/pam.d/passwd:
#%PAM-1.0
auth required /lib/security/pam_stack.so debug service=system-auth
account required /lib/security/pam_stack.so debug service=system-auth
password required /lib/security/pam_stack.so debug service=system-auth
Here are the contents of /etc/pam.d/system-auth (with debug and audit
parameters newly introduded by me):
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth sufficient /lib/security/pam_unix.so debug audit likeauth nullok md5 shadow
auth required /lib/security/pam_deny.so
account sufficient /lib/security/pam_unix.so debug audit
account required /lib/security/pam_deny.so
password required /lib/security/pam_cracklib.so debug retry=3
password sufficient /lib/security/pam_unix.so debug audit nullok use_authtok md5 shadow
password required /lib/security/pam_deny.so
session required /lib/security/pam_limits.so
session required /lib/security/pam_unix.so debug audit
Appended are the relevent lines of /var/log/secure after the debug and
audit parameters were added. Two attempts are logged. The first by the
user (fjaumott) trying to change her own password, the second one by root
intending to change it for her. If anyone could help me understand
what's going and make a recommendation, I'd be grateful. I've been
reading the PAM documentation but I'm still clueless.
Thanks.
Peter Brown
/var/log/secure:
May 3 11:28:01 net-36778 pam_stack[19725]: called from "passwd"
May 3 11:28:01 net-36778 pam_stack[19725]: initializing
May 3 11:28:01 net-36778 pam_stack[19725]: creating environment
May 3 11:28:01 net-36778 pam_stack[19725]: setting item PAM_SERVICE to "passwd"
May 3 11:28:01 net-36778 pam_stack[19725]: setting item PAM_USER to "fjaumott"
May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_TTY is NULL
May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_RHOST is NULL
May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_RUSER is NULL
May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_USER_PROMPT is NULL
May 3 11:28:01 net-36778 pam_stack[19725]: item PAM_FAIL_DELAY is NULL
May 3 11:28:01 net-36778 pam_stack[19725]: setting item PAM_SERVICE to system-auth
May 3 11:28:01 net-36778 pam_stack[19725]: passing data to child
May 3 11:28:01 net-36778 pam_stack[19725]: calling substack
May 3 11:28:05 net-36778 pam_stack[19725]: not passing PAM_SERVICE back up to parent
May 3 11:28:05 net-36778 pam_stack[19725]: not passing PAM_USER back up to parent
May 3 11:28:05 net-36778 pam_stack[19725]: substack's item PAM_TTY is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: substack's item PAM_RHOST is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: not passing PAM_CONV back up to parent
May 3 11:28:05 net-36778 pam_stack[19725]: substack's item PAM_RUSER is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: substack's item PAM_USER_PROMPT is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: substack's item PAM_FAIL_DELAY is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: passing data back
May 3 11:28:05 net-36778 pam_stack[19725]: returning 0 (Success)
May 3 11:28:05 net-36778 pam_stack[19725]: called from "passwd"
May 3 11:28:05 net-36778 pam_stack[19725]: initializing
May 3 11:28:05 net-36778 pam_stack[19725]: creating environment
May 3 11:28:05 net-36778 pam_stack[19725]: setting item PAM_SERVICE to "passwd"
May 3 11:28:05 net-36778 pam_stack[19725]: setting item PAM_USER to "fjaumott"
May 3 11:28:05 net-36778 pam_stack[19725]: item PAM_TTY is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: item PAM_RHOST is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: item PAM_RUSER is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: item PAM_USER_PROMPT is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: item PAM_FAIL_DELAY is NULL
May 3 11:28:05 net-36778 pam_stack[19725]: setting item PAM_SERVICE to system-auth
May 3 11:28:05 net-36778 pam_stack[19725]: passing data to child
May 3 11:28:05 net-36778 pam_stack[19725]: calling substack
May 3 11:28:13 net-36778 pam_stack[19725]: not passing PAM_SERVICE back up to parent
May 3 11:28:13 net-36778 pam_stack[19725]: not passing PAM_USER back up to parent
May 3 11:28:13 net-36778 pam_stack[19725]: substack's item PAM_TTY is NULL
May 3 11:28:13 net-36778 pam_stack[19725]: substack's item PAM_RHOST is NULL
May 3 11:28:13 net-36778 pam_stack[19725]: not passing PAM_CONV back up to parent
May 3 11:28:13 net-36778 pam_stack[19725]: substack's item PAM_RUSER is NULL
May 3 11:28:13 net-36778 pam_stack[19725]: substack's item PAM_USER_PROMPT is NULL
May 3 11:28:13 net-36778 pam_stack[19725]: substack's item PAM_FAIL_DELAY is NULL
May 3 11:28:13 net-36778 pam_stack[19725]: passing data back
May 3 11:28:13 net-36778 pam_stack[19725]: returning 20 (Authentication token manipulation error)
May 3 11:52:59 net-36778 xinetd[542]: START: telnet pid=19750 from=140.247.210.146
May 3 11:53:10 net-36778 pam_stack[19778]: called from "passwd"
May 3 11:53:10 net-36778 pam_stack[19778]: initializing
May 3 11:53:10 net-36778 pam_stack[19778]: creating environment
May 3 11:53:10 net-36778 pam_stack[19778]: setting item PAM_SERVICE to "passwd"
May 3 11:53:10 net-36778 pam_stack[19778]: setting item PAM_USER to "fjaumott"
May 3 11:53:10 net-36778 pam_stack[19778]: item PAM_TTY is NULL
May 3 11:53:10 net-36778 pam_stack[19778]: item PAM_RHOST is NULL
May 3 11:53:10 net-36778 pam_stack[19778]: item PAM_RUSER is NULL
May 3 11:53:10 net-36778 pam_stack[19778]: item PAM_USER_PROMPT is NULL
May 3 11:53:10 net-36778 pam_stack[19778]: item PAM_FAIL_DELAY is NULL
May 3 11:53:10 net-36778 pam_stack[19778]: setting item PAM_SERVICE to system-auth
May 3 11:53:10 net-36778 pam_stack[19778]: passing data to child
May 3 11:53:10 net-36778 pam_stack[19778]: calling substack
May 3 11:53:14 net-36778 pam_stack[19778]: not passing PAM_SERVICE back up to parent
May 3 11:53:14 net-36778 pam_stack[19778]: not passing PAM_USER back up to parent
May 3 11:53:14 net-36778 pam_stack[19778]: substack's item PAM_TTY is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: substack's item PAM_RHOST is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: not passing PAM_CONV back up to parent
May 3 11:53:14 net-36778 pam_stack[19778]: substack's item PAM_RUSER is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: substack's item PAM_USER_PROMPT is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: substack's item PAM_FAIL_DELAY is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: passing data back
May 3 11:53:14 net-36778 pam_stack[19778]: returning 0 (Success)
May 3 11:53:14 net-36778 pam_stack[19778]: called from "passwd"
May 3 11:53:14 net-36778 pam_stack[19778]: initializing
May 3 11:53:14 net-36778 pam_stack[19778]: creating environment
May 3 11:53:14 net-36778 pam_stack[19778]: setting item PAM_SERVICE to "passwd"
May 3 11:53:14 net-36778 pam_stack[19778]: setting item PAM_USER to "fjaumott"
May 3 11:53:14 net-36778 pam_stack[19778]: item PAM_TTY is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: item PAM_RHOST is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: item PAM_RUSER is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: item PAM_USER_PROMPT is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: item PAM_FAIL_DELAY is NULL
May 3 11:53:14 net-36778 pam_stack[19778]: setting item PAM_SERVICE to system-auth
May 3 11:53:14 net-36778 pam_stack[19778]: passing data to child
May 3 11:53:14 net-36778 pam_stack[19778]: calling substack
May 3 11:53:21 net-36778 pam_stack[19778]: not passing PAM_SERVICE back up to parent
May 3 11:53:21 net-36778 pam_stack[19778]: not passing PAM_USER back up to parent
May 3 11:53:21 net-36778 pam_stack[19778]: substack's item PAM_TTY is NULL
May 3 11:53:21 net-36778 pam_stack[19778]: substack's item PAM_RHOST is NULL
May 3 11:53:21 net-36778 pam_stack[19778]: not passing PAM_CONV back up to parent
May 3 11:53:21 net-36778 pam_stack[19778]: substack's item PAM_RUSER is NULL
May 3 11:53:21 net-36778 pam_stack[19778]: substack's item PAM_USER_PROMPT is NULL
May 3 11:53:21 net-36778 pam_stack[19778]: substack's item PAM_FAIL_DELAY is NULL
May 3 11:53:21 net-36778 pam_stack[19778]: passing data back
May 3 11:53:21 net-36778 pam_stack[19778]: returning 20 (Authentication token manipulation error)
May 3 14:46:03 net-36778 sshd[540]: Generating new 768 bit RSA key.
May 3 14:46:03 net-36778 sshd[540]: RSA key generation complete.
May 3 15:57:46 net-36778 pam_stack[1203]: called from "passwd"
May 3 15:57:46 net-36778 pam_stack[1203]: initializing
May 3 15:57:46 net-36778 pam_stack[1203]: creating environment
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_SERVICE to "passwd"
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_USER to "fjaumott"
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_TTY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_RHOST is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_RUSER is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_USER_PROMPT is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_FAIL_DELAY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_SERVICE to system-auth
May 3 15:57:46 net-36778 pam_stack[1203]: passing data to child
May 3 15:57:46 net-36778 pam_stack[1203]: calling substack
May 3 15:57:46 net-36778 pam_stack[1203]: not passing PAM_SERVICE back up to parent
May 3 15:57:46 net-36778 pam_stack[1203]: not passing PAM_USER back up to parent
May 3 15:57:46 net-36778 pam_stack[1203]: substack's item PAM_TTY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: substack's item PAM_RHOST is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: not passing PAM_CONV back up to parent
May 3 15:57:46 net-36778 pam_stack[1203]: substack's item PAM_RUSER is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: substack's item PAM_USER_PROMPT is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: substack's item PAM_FAIL_DELAY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: passing data back
May 3 15:57:46 net-36778 pam_stack[1203]: returning 0 (Success)
May 3 15:57:46 net-36778 pam_stack[1203]: called from "passwd"
May 3 15:57:46 net-36778 pam_stack[1203]: initializing
May 3 15:57:46 net-36778 pam_stack[1203]: creating environment
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_SERVICE to "passwd"
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_USER to "fjaumott"
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_TTY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_RHOST is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_RUSER is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_USER_PROMPT is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: item PAM_FAIL_DELAY is NULL
May 3 15:57:46 net-36778 pam_stack[1203]: setting item PAM_SERVICE to system-auth
May 3 15:57:46 net-36778 pam_stack[1203]: passing data to child
May 3 15:57:46 net-36778 pam_stack[1203]: calling substack
May 3 15:57:57 net-36778 pam_stack[1203]: not passing PAM_SERVICE back up to parent
May 3 15:57:57 net-36778 pam_stack[1203]: not passing PAM_USER back up to parent
May 3 15:57:57 net-36778 pam_stack[1203]: substack's item PAM_TTY is NULL
May 3 15:57:57 net-36778 pam_stack[1203]: substack's item PAM_RHOST is NULL
May 3 15:57:57 net-36778 pam_stack[1203]: not passing PAM_CONV back up to parent
May 3 15:57:57 net-36778 pam_stack[1203]: substack's item PAM_RUSER is NULL
May 3 15:57:57 net-36778 pam_stack[1203]: substack's item PAM_USER_PROMPT is NULL
May 3 15:57:57 net-36778 pam_stack[1203]: substack's item PAM_FAIL_DELAY is NULL
May 3 15:57:57 net-36778 pam_stack[1203]: passing data back
May 3 15:57:57 net-36778 pam_stack[1203]: returning 20 (Authentication token manipulation error)
