Authentication token manipulation error when expiring password (passwd --expire)

On a fresh Arch Linux installation, I'm trying to require the user to change password on first log in. I expire the password using passwd --expire username, but the user can the no longer log in. This message is shown:

You are required to change your password immediately (administrator enforced)
Authentication token manipulation error

After a few seconds, it returns to the login prompt.

What causes this error, can can it be fixed to allow the user to change password?

I get the same behavior whether I set a password, or delete the password with passwd --delete.

1 Answer

I was curious about that behavior so I tested it on my machine.

Reproduction

  1. I create a new user

    # useradd -m -s /bin/bash test
  2. I create a dummy password for it

    # passwd test
    Geben Sie ein neues Passwort ein:
    Geben Sie das neue Passwort erneut ein: 
  3. Test what I did so far into another terminal

    $ su - test
    Passwort:
    $ # I'm in.
    $ exit # I'm out.
  4. Back to my root terminal, I try to do what you did...

    # passwd --expire test
    passwd: Passwortablauf-Informationen geändert.
  5. Back to my normal terminal, I try to connect with the new user.

    $ su - test
    Passwort:
    You are required to change your password immediately (administrator enforced)
    su: Fehler beim Ändern des Authentifizierungstoken

    Interesting, I get the same as yourself.

Husking

So I was curious so I looked into the manual

# LC_ALL=en_US.UTF-8 man passwd #Comment# LC_ALL is needed because otherwise, I get the manual in german.

And curiously it says:

-e, --expire Immediately expire an account's password. This in effect can force a user to change their password at the user's next login.

I concluded that it's strange that the described behavior is not working...


So as I know pam.d is responsible for the login I looked for it into the journal.

# journalctl -g pam -xe

In the log, I saw the following.

Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_unix(su-l:auth): authentication failure; logname= uid=1000 euid=0 tty=pts/4 ruser=funilrys rhost= user=test
Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_unix(su-l:account): expired password for user test (root enforced)
Jul 28 xx:xx:xx funilrys su[xxxxx]: pam_warn(su-l:chauthtok): function=[pam_sm_chauthtok] flags=0x4020 service=[su-l] terminal=[pts/4] user=[test] ruser=[funilrys] rhost=[<unknown>]

Note: As I log in with su the su-l is the service which is used.

That means that pam.d works properly but it does not handle the password change.


But I wasn't convinced, so I tested with SSH (I leave to you the SSH configuration) and it worked.

$ ssh -p xxxxx
Passwort:
You are required to change your password immediately (administrator enforced)
Ändern des Passworts für test.
Current password:
Geben Sie ein neues Passwort ein:
Geben Sie das neue Passwort erneut ein:
$ 

I asked myself, where is the difference?

What I found is that the /etc/pam.d/sshd file has this line

password include system-remote-login

So as my service was su-l I added that line to /etc/pam.d/su-l

Then tried again.

$ su - test
Passwort:
You are required to change your password immediately (administrator enforced)
Ändern des Passworts für test.
Current password:
Geben Sie ein neues Passwort ein:
Geben Sie das neue Passwort erneut ein: 

And it worked!

Conclusion

If you add the following line into /etc/pam.d/login, /etc/pam.d/su-l or other configuration depending on the service you use. The user will be able to change their password on next login.

password include system-remote-login

Recommendation (Edit 1)

In my analysis, I went through but after looking deep into it, I have to admit that even if system-remote-login is working, we should avoid it because it was actually thought for SSH.

So, I recommend anybody who meets this issue to add the following line (instead) into /etc/pam.d/login, /etc/pam.d/su-l or other configuration depending on the service you use.

password include system-local-login
2

Your Answer

Sign up or log in

Sign up using Google Sign up using Facebook Sign up using Email and Password

Post as a guest

By clicking “Post Your Answer”, you agree to our terms of service, privacy policy and cookie policy

You Might Also Like