Avoid “Authentication token manipulation error” on password change

pampasswordSecurity

I'm implementing a security policy that will force the users to introduce stricter passwords when they change their own:

The /etc/pam.d/passwd configuration file is:

#%PAM-1.0
auth     include    common-auth
account  include    common-account
password include    common-password
session  include    common-session

So, I made changes in this file /etc/pam.d/common-password.

The default common-password file comes with this two lines:

password    requisite   pam_pwcheck.so  nullok cracklib
password    required    pam_unix2.so    use_authtok nullok

I need to add several options to the pam_pwcheck (no problem with that) and another PAM module (pam_cracklib) to make the passwords stronger. Next, it is my final /etc/pam.d/common-password file, included from passwd:

password  requisite  pam_cracklib.so minclass=3 retry=3
password  requisite  pam_pwcheck.so  nullok cracklib minlen=10 remember=5
password  required   pam_unix2.so    use_authtok nullok

My problem occurs when I have both PAM modules configured: if I introduce a correct password, it works fine. If I introduce a bad password that must be rejected by pam_cracklib (for example, a password with only lower case letters), it works fine (rejects the password without problem).

But when I introduce a password that is valid for cracklib but not for pwcheck (a password with upper case, lower case and numbers of 7 characters length), it rejects the password, but this error is shown:

Bad password: too short    
passwd: Authentication token manipulation error

So, pam_pwcheck print its error message (Bad password: too short), but something bad happens with the PAM chain.

Do you know what is wrong in my configuration?

P.S. The "security" requirements are not mine at all, so please, avoid comments on it ;-).

Best Answer

Try restructuring your PAM chain like this for file, /etc/pam.d/common-password:

password required pam_pwcheck.so
password required pam_cracklib.so use_authtok minlen=10 retry=3 minclass=3
password required pam_pwcheck.so remember=5 use_authtok use_first_pass
password required pam_unix2.so nullok use_authtok use_first_pass

I found the above and modified it slightly from this Novell document titled: using pam_pwcheck and pam_cracklib at the same time.

Additionally I used these as resources:

Related Solutions

Custom PAM modules and security considerations

When you call into Linux-PAM for some authentication procedure, there is always one and only one stack that is run.

The stack definition is looked up in these places; the first successful attempt determines which file is read:

the file in /etc/pam.d named after the application "service name" (e.g., sshd or gdm), or
the file /etc/pam.d/other if no service-specific file exists, or
the file /etc/pam.conf if directory /etc/pam.d does not exist.

See the documentation for function pam_start for details.

The common-* files are a convention followed by many Linux distributions but are not mandated by the PAM software itself. They are usually included by other PAM files by means of @include statements; for instance the /etc/pam.d/other file on Debian has the following content:

# We fall back to the system default in /etc/pam.d/common-*
@include common-auth
@include common-account
@include common-password
@include common-session

The same @include statements may be used by service-specific file as well, and -indeed- they are in the default configuration on Debian. Note that this is a matter of configuration: a sysadmin is free to change the file in /etc/pam.d not to include any common-* files at all!

Therefore: if your PAM module is specific to your application, create an application-specific service file and call the module from there. Do not automatically add a module to other services' PAM file nor to the fall-back others file, as this may break other applications installed on the system. Management of the PAM software stack is a task for the system administrator, not for the application developers.

Centos – Policy in /etc/pam.d/password-auth is not being enforced

You have to check your /etc/pam.d/passwd file if it includes /etc/pam.d/password-auth or /etc/pam.d/system-auth and to make required changed in file which is included.

In short:
An application that uses PAM can have a configuration file bearing its name in /etc/pam.d/. If a file exists, the rules in that file are processed whenever the application calls a PAM authentication function.

Files like /etc/pam.d/system-auth and to a larger extent /etc/pam.d/password-auth are somewhat distribution-specific. Since no applications identify themselves as "system-auth" or "password-auth", these files are actually never called on their own. Instead, the contents of these files are pulled into other PAM configuration files with the "include" directive. That way, common settings for multiple applications can be stored in a single file.

Best Answer

Related Solutions

Custom PAM modules and security considerations

Centos – Policy in /etc/pam.d/password-auth is not being enforced

Related Question