116

I am logging in to my Ubuntu Server using my username. Once I am logged in I am typing passwd command. Entering a new password but a second after getting following error messages:

passwd: Authentication token manipulation error
passwd: password unchanged

What is wrong here? How can I change my password otherwise if I don't have access to that server physically, i.e. I am connecting remotely with ssh using terminal.

Braiam
  • 69,112
Bakhtiyor
  • 12,804

13 Answers13

85

You can get this error if your system is unable to write to the /etc/shadow file. One reason this might happen is if your root filesystem is read-only.

Do these two things just to make sure:

mount -o remount,rw /

This first part remounts the root partition as read/write since it was only in read mode. It actually dismounts the root partition and then mounts it again as read/write.

Then do this:

chmod 640 /etc/shadow

Then do the sudo passwd USER. It should work after that. This part gives the correct permissions to the shadow file.

mwfearnley
  • 3,497
Luis Alvarado
  • 216,643
55

If you insert the wrong passwd

$ passwd
Changing password for rinzwind.
(current) UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

you get this error. If you are sure that you inserted the correct one, this error might also show up if you are using shadowed password files and the shadow doesn’t have an entry for this user (basically/etc/passwd has an entry for this user, but /etc/shadow does not).

In order to fix this, you can either add the entry manually (make a backup first!!!) or recreate the shadow file with pwconv (Manpage).

You'reAGitForNotUsingGit
  • 14,969
Rinzwind
  • 309,379
17
pam-auth-update

fixed my messed /etc/pam.d/common-password

A.B.
  • 92,125
jouell
  • 327
10

I'm not sure how it happened. A sudo user created my account then deleted it then created it again.

Here is what I found

mount -o remount,rw /
passwd
passwd: Authentication token manipulation error

No change.

sudo pwck

Showed no errors.

sudo grpck

Showed no errors.

ls -l /etc/passwd /etc/group /etc/shadow /etc/shadow-
-rw-r--r-- 1 root root    767 May  7 16:45 /etc/group
-rw-r--r-- 1 root root   1380 May  7 16:45 /etc/passwd
-rw-r----- 1 root shadow 1025 May  8 09:11 /etc/shadow
-rw------- 1 root root   1025 May  7 16:46 /etc/shadow-

Looks normal.

sudo cat /etc/shadow |grep oracle
oracle:$6$FsPqyplr$DrIvjFDSx0ipHmECMw1AU5hTrbNMnnkGRdFlaQcM.p3Rdu2OLjY20tzUTW61HlFH16cal56rKlLuW4j2mK9D.:15833:0:99999:7:::

Showed user and encrypted password.

sudo cat /etc/shadow- |grep oracle

Showed nothing. Not sure what that means but doesn't look right.

sudo passwd -d oracle
passwd

So the solution was to delete the password then reset new password.

Hope this helps.

Bernard
  • 380
5

Another problem might be that the disk is full. I got this error when resetting a password, and later checked my disks with df and found that no space is available on my disk. After freeing some I could reset the password without problems.

erikbstack
  • 262
  • 1
  • 6
  • 17
4

If you are using SELinux, running this command fixed the issue for me.

restorecon -v /etc/shadow

Thanks to this conversation for the solution.

Community
  • 1
sffc
  • 301
4

This issue occurred due to the incorrect permissions set to /usr/bin/passwd.

Please try to set the permission as 4511 by using the command:

chmod 4511 /usr/bin/passwd

This will resolve the issue.

Fabby
  • 35,017
Murlo
  • 41
2

The server I was working on was configured with some sort of Windows Authentication through PowerBroker Identity Server(PBIS).

Basically when I input sudo pam-auth-update, the following options appear:

Output of <code>sudo pam-auth-update</code>

  1. Unselect the first item of the list using the Space Bar Key to Select/Unselect, and Up/Down arrows if necessary.

  2. Then move to the Ok Option using Tab, and Left/Right arrow keys if necessary.

  3. Press Enter on top of the Ok Option.

  4. After this, I could use passwd and adduser as normal

  5. Once you are done with your user configuration, you can go back to sudo pam-auth-update, and leave the settings as before.

In the general case (i.e. not using the PowerBroker Identity Server(PBIS)), it seems to be important to have the Unix Authentication activated (and no other authentication system).

toto_tico
  • 285
2

Check if you have messed up the common-password file in /etc/pam.d/. This will cause errors if your present password does not match the one that common-password wants. In my case this was the reason why I was getting that authentication token error.

Fern Moss
  • 8,925
Revanth Kumar
  • 141
1

Also, ensure that your entry in /etc/passwd is not mal-formed. If you have the incorrect number of colons in the line for your user entry, the 'passwd' command cannot parse it and refuses to continue with the exact error message provided.

Magellan
  • 100
1

In Lubuntu 15.04 I had the same token manipulation error. I figured this is due to the file system still in read only mode.

Using:

mount -o remount,rw /
passwd
passwd: Authentication token manipulation error

This does not work but this does:

mount -o remount, --rw /
passwd
passwd: Authentication token manipulation error
galoget
  • 3,023
cecil toiletseat
  • 19
1

The error says that the PAM module (see: man pam_chauthtok) was unable to obtain the new authentication token. This may happen on Ubuntu when the user doesn't have default password set yet and passwd is still requesting it, so the workaround is to change the password using root privileges, e.g.

sudo passwd $USER

so you won't be asked for the current password and the error won't happen.

See also: Authentication token manipulation error

Community
  • 1
kenorb
  • 10,944
0

Using the above info I found that this solved my problem

pam-auth-update

I need to remove extrausers option from pam.

In my logs I noted the following errros. 

journalctl -f
passwd[16497]: pam_extrausers(passwd:chauthtok): user "xuser" does not exist in /var/lib/extrausers/passwd
nelaaro
  • 10,338