Hello!
We had a RHEL8 host that didn’t allow us to change passwords anymore, because this happened:
[root@hardrock8 pam.d]# passwd pamerror
Changing password for user pamerror.
passwd: Authentication token manipulation error
We tried a few suggestions from the internet but nothing did work.
I finally decided to use one of my Rocky8 VMs to compare and try to recreate the error.
After comparing the output of strace passwd I detected that something in system-auth
seems to be different and might cause the issue.
But what we found is still perplexing me …
This is the default block in /etc/pam.d/system-auth
password requisite pam_pwquality.so debug try_first_pass local_users_only retry=3 authtok_type=
password requisite pam_pwhistory.so debug use_authtok remember=12
password sufficient pam_unix.so audit try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
- If you put a hash in front of the line for “pwquality” you will get the error described above.
- If you swap the lines for “pwquality” and “pwhistory” you also will get the error.
In our case someone had edited the file and swapped the two lines.
I still find it strange that swapping the lines breaks passwd …
Bye