Authentication token manipulation error

questionnaire at bossmail.de questionnaire at bossmail.de
Mon Mar 27 14:24:54 UTC 2006 

Hello,

I've got the following situation: The 6000 accounts of our eMail-server are stored in /etc/passwd resp. /etc/shadow. To change their passwords, the users use a ssh-session. The only object of the ssh-session is to change a users password, therefore the loginshell is /usr/bin/passwd. To avoid attacks on the ssh-daemon, we only want a seperate web-server with a little php-web-page to open the ssh-session. I use apache/php with a php-module called php-ssh2 and a library called libssh2 to establish the ssh-session. This works fine, until it comes to the point, where the old password is sent to /usr/bin/passwd. I get the following screen in /var/log/messages:

sshd[]: pam_unix2: pam_sm_authenticate() called
sshd[]: pam_unix2: username=[dummy]
sshd[]: pam_unix2: pam_sm_authenticate: PAM_SUCCESS
sshd[]: pam_unix2: pam_sm_acct_mgmt() called
sshd[]: pam_unix2: username=[dummy]
sshd[]: pam_unix2: expire() returned with 0
sshd[]: Accepted password for dummy from 192.168.136.50 port 6235 ssh2
sshd[]: pam_unix2: session started for user dummy, service sshd
sshd[]: pam_unix2: pam_sm_setcred() called
sshd[]: pam_unix2: username=[dummy]
sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCES
-passwd[]: pam_unix2: pam_sm_chauthtok() called
-passwd[]: pam_unix2: username=[dummy]
sshd[]: pam_unix2: pam_sm_setcred() called
sshd[]: pam_unix2: username=[dummy]
sshd[]: pam_unix2: pam_sm_setcred: PAM_SUCCESS
sshd[]: pam_unix2: session finished for user dummy, service sshd
-passwd[]: pam_unix2: pam_sm_chauthtok() called
-passwd[]: pam_unix2: username=[dummy]
-passwd[]: User dummy: Authentication token manipulation error
-passwd[]: password change failed, pam error 20 - account=dummy, uid=1000, by=1000

If I use some other tools like gnu-ssh or putty, it all works very well. Is there a difference between the two methods gnu-ssh and PHP-script, which /usr/bin/passwd recognizes, e.g. keyboard-interactive vs. tunneled-cleartext? I think of this, because I had to change some settings in /etc/ssh/sshd-config, to enable tunneled-cleartext authentication:

PasswordAuthentication yes

enable or disable following in sshd-config has no effect:

ChallangeResponseAuthentication no
UsePAM yes	

What does that mean: 'Authentication token manipulation error'? Is it possible to use /usr/bin/passwd with a pipe, like libssh2 does? 

The PAM configuration is mostly SuSE 10.0 original, except the debug-feature.

/etc/pam.d/sshd:
auth      required    pam_env.so debug
auth      required    pam_unix2.so debug
auth      required    pam_nologin.so
account   required    pam_unix2.so debug
password  required    pam_pwcheck.so nullok
password  required    pam_unix2.so nullok use_first_pass use_authtok debug
session   required    pam_limits.so
session   required    pam_unix2.so debug

/etc/pam.d/password:
auth      required    pam_env.so debug
auth      required    pam_unix2.so debug
account   required    pam_unix2.so debug
password  required    pam_pwcheck.so nullok
password  required    pam_unix2.so nullok use_first_pass use_authtok debug
session   required    pam_limits.so
session   required    pam_unix2.so debug


Versions:

Webserver:
apache2-2.0.54-10
apache2-mod_php4-4.4.0-6.6
php4-4.4.0-6.6
libssh2-0.12
php-ssh2-0.10

eMailserver (on which password has to be changed):
openssh-4.1p1-10
pam-0.80-6
pam-modules-10.0-11.2


Your help is greatly appreciated.
Joerg




"Jetzt Handykosten senken mit klarmobil - 14 Ct./Min.! Hier klicken"
www.klarmobil.de/index.html?pid=73025

More information about the Pam-list mailing list