passwd: Authentication token manipulation error was useradd reports PAM authentication failure

Progress, now I have:

root <at> webby:log# passwd mh
passwd: Authentication token manipulation error
root <at> webby:log#

 >>  You are right, here is proper one:

 >>  #%PAM-1.0                                                                 
 >>  
 >>  auth            sufficient      /lib/security/pam_rootok.so               
 >>  
 >>  auth            required        /lib/security/pam_unix.so                 
 >>  
 >>  account         required        /lib/security/pam_permit.so               
 >>  
 >>  #password        required        /lib/security/pam_make.so /var/db        
 >>  

log file:

Aug 31 08:28:14 webby PAM-warn[19012]: function=[pam_sm_chauthtok] service=[passwd]
terminal=[<unknown>] user=[mh] ruser=[<unknown>] rhost=[<unknown>]
Aug 31 08:32:46 webby PAM-warn[19026]: function=[pam_sm_chauthtok] service=[passwd]
terminal=[<unknown>] user=[mh] ruser=[<unknown>] rhost=[<unknown>]
root <at> webby:log#

Epson Inkjet Printer FAQ: http://welcome.to/epson-inkjet

Re: mod_auth_pam trouble

Hello Matthew,

most likely, mod_auth_pam never gets called by Apache.  That happens
easily because the calling order of the various authentication modules
is somewhat confusing.

Please try the attached version of the module.  Its the current CVS
version, has more verbose error reporting and clearly tags each log
message with 'PAM' so that you can know wether the message you see is
from mod_auth_pam or from some other module that might be interfering.
Other than that, its unchanged, so you should not run into problems.

Just replace the mod_auth_pam.c from the distribution with the
attached file, type "make; make install" and you should be all set.
The module will report the version "1.1.2".

regards

--

-- 
		  http://fargonauten.de/people/ingo

PGP: 	3187 4DEC 47E6 1B1E 6F4F  57D4 CD90 C164 34AD CE5B

/* Copyright (c) 2000 Ingo Lütkebohle, All rights reserved.
 *
 * Redistribution and use in source and binary forms, with or without
 * modification, are permitted provided that the following conditions
 * are met:
 *

Re: passwd: Authentication token manipulation error was useradd reports PAM authentication failure

On Sat, 31 Aug 2002, Alan Womack wrote:

> Progress, now I have:
> 
> root <at> webby:log# passwd mh
> passwd: Authentication token manipulation error
> root <at> webby:log#

Try this for passwd:
auth            required        /lib/security/pam_unix.so
account         required        /lib/security/pam_unix.so
password        required 	/lib/security/pam_cracklib.so difok=2 minlen=8 dcredit=2 ocredit=2 retry=3
password        required        /lib/security/pam_unix.so md5 shadow use_authtok

Maybe it would be easier if you just got the config files from some
PAMified distribution ;)

Jan
--

-- 
Jan Rękorajski            |  ALL SUSPECTS ARE GUILTY. PERIOD!
baggins<at>mimuw.edu.pl   |  OTHERWISE THEY WOULDN'T BE SUSPECTS, WOULD THEY?
BOFH, MANIAC              |                   -- TROOPS by Kevin Rubio

MS pam_sso.so.1 on Solaris

We run Solaris 8, using the native Solaris PAM infrastructure.

Over the years we have occasionally compiled and installed other PAM
modules into this with little or no trouble.  (Indeed, when there has been
a little local difficulty with a module, I have usually tried to fix it
and submit the changes back to the sourceforge project.)

A few weeks ago, we installed Microsoft's precompiled "pam_sso.so.1".
(Its purpose is to replicate password changes out to an Active Directory
system, to help synchronise passwords.)

This appeared to work OK, testing with the usual Solaris "passwd" program,
and including the MS "pam_sso.so.1" in "/etc/pam.conf".

More recently I tried to PAM-ify the "poppassd" program from qpopper. 
This was OK without the "/etc/pam.conf" entry: it successfully changed the
UNIX password. 

But on reinserting the "/etc/pam.conf" entry it failed, leaving the
message:
   poppassd[20519]: [ID 487707 local2.error] load_modules: \
      can not open module /usr/lib/security/pam_sso.so.1
in the system logs.  (The Solaris "passwd" command is OK.)

The dynamic library dependencies are:

   # ldd /usr/lib/security/pam_sso.so.1
           libpam.so.1 =>   /usr/lib/libpam.so.1
           libsocket.so.1 =>        /usr/lib/libsocket.so.1
           libnsl.so.1 =>   /usr/lib/libnsl.so.1

query about pam_handle

  hello everybody ,

     i have gone through pam source code and
     found the software very robust , reliable .

     i am interested in adding something more to it
     i want to design the pam supporting biometrics
     authentications

    for that i need to change pam_handle structure to
    contain more information
    if anybody has faced the same problem
    and can give their advice ,
    please reply soon

  bye
   siddharth

Re: query about pam_handle

On Mon, Sep 02, 2002 at 03:28:13PM -0000, siddharth sharma rajput wrote:

>  hello everybody ,

>     i have gone through pam source code and
>     found the software very robust , reliable .

>     i am interested in adding something more to it
>     i want to design the pam supporting biometrics
>     authentications

>    for that i need to change pam_handle structure to
>    contain more information
>    if anybody has faced the same problem
>    and can give their advice ,
>    please reply soon

The pam_handle is already infinitely extensible through the use of opaque
pam data (pam_set_data()/pam_get_data()).  What are the special
circumstances of your module that would merit a change to the pam_handle
structure itself?

Steve Langasek
potsmodern programmer

Re: mod_auth_pam trouble

Thanks for your help. One thing I forgot to mention was that I also tried 
moving the "AddModule" and "LoadModule" directives to different places in 
their respective lists in my httpd.conf file. I tried top and bottom, and I 
also tried disabling all other mod_auth_* modules. None of these things 
seemed to have an effect.

That said, I tried the newer version of mod_auth_pam. Sure enough, it's 
getting called. Here's the new log entry:
[Mon Sep  2 15:30:45 2002] [error] [client xx.xx.xx.xx] (13)Permission 
denied: PAM: user 'mw26' - not authenticated: Authentication failure

And still nothing in the syslog file. I'm using the pam_warn and pam_permit 
setup mentioned before. ldd confirms that the module is indeed linked 
against libpam.

-MW

>most likely, mod_auth_pam never gets called by Apache.  That happens
>easily because the calling order of the various authentication modules
>is somewhat confusing.

_________________________________________________________________
MSN Photos is the easiest way to share and print your photos: 
http://photos.msn.com/support/worldwide.aspx

conversation function

  hello everybody ,
    i am developing an application that
    needs to pass some information to the
    pam module .

    if anybody has the solution ,
    reply soon

   bye
   siddharth sharma
   Axis Software Pvt Ltd

Re: conversation function

Hi,

Take a look in the xscreenserver code.

-timo

On Tue, Sep 03, 2002 at 09:48:06AM -0000, siddharth sharma rajput wrote:
> 
>  hello everybody ,
>    i am developing an application that
>    needs to pass some information to the
>    pam module .
> 
>    if anybody has the solution ,
>    reply soon
> 
> 
>   bye
>   siddharth sharma
>   Axis Software Pvt Ltd
> 
> 
> 
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list

Re: conversation function

Why don't you just write it to a file and then read the file from PAM.

That way, nothing must get passed through.

Or you could use system 5 IPC, but that is an exercise left to the
reader

siddharth sharma rajput wrote:
> 
>   hello everybody ,
>     i am developing an application that
>     needs to pass some information to the
>     pam module .
> 
>     if anybody has the solution ,
>     reply soon
> 
>    bye
>    siddharth sharma
>    Axis Software Pvt Ltd
> 
> _______________________________________________
> Pam-list mailing list
> Pam-list <at> redhat.com
> https://listman.redhat.com/mailman/listinfo/pam-list