Getting an "Authentication token manipulation" error when trying to change my user password

Question

I am logging in to my Ubuntu Server using my username. Once I am logged in I am typing passwd command. Entering a new password but a second after getting following error messages:

passwd: Authentication token manipulation error
passwd: password unchanged

What is wrong here? How can I change my password otherwise if I don't have access to that server physically, i.e. I am connecting remotely with ssh using terminal.

The first prompt asks for your CURRENT password. Have you done that, cause if you just typed the new one, you'll get the error message you say.. — Pavlos G., Aug 18 '11 at 14:03
i have the same problem, and find the answer from this link https://help.ubuntu.com/community/LostPassword https://blog.imammubin.com/reset-ubuntu-passwd/2014/07/07/ try this code: mount -rw -o remount / hope this helpfull.. — Imam Mubin, Jul 07 '14 at 04:50
@Mubin: That's for an emergency recovery from single-user mode. Since this question is about a logged-in user, we can safely assume it's not a recovery scenario. — MSalters, Apr 26 '16 at 13:19
Maybe you logged in with a keypair, and just don't have a password yet? Try to create it: sudo passwd your_user — Noam Manos, Feb 23 '20 at 16:59
I got this error when my disk filled to 100% with logs due to a completely separate problem. If the more likely solutions posted here don't seem relevant to future searchers, might be worth a quick 'df -h' to see. — mightypile, Jul 30 '21 at 16:09

score 79 · Answer 1 · edited Jul 07 '15 at 15:49

79

Do these two things just to make sure:

mount -o remount,rw /

This first part remounts the root partition as read/write since it was only in read mode. It actually dismounts the root partition and then mounts it again as read/write.

Then do this:

chmod 640 /etc/shadow

Then do the sudo passwd USER. It should work after that. This part gives the correct permissions to the shadow file.

edited Jul 07 '15 at 15:49

slm

3,035

answered Mar 30 '12 at 20:02

Luis Alvarado

211,503

3

This worked for me.
Could anyone help me understand what I just did?
– Stew Apr 25 '14 at 17:33
1

@Stew updated answer to explain better. – Luis Alvarado Apr 25 '14 at 17:35
1

Great, thanks Luis! Should I change the root directory back to Read mode when I finish with this? – Stew Apr 25 '14 at 17:58
2

@Stew no. It should stay like Read/Write. This is only when you want to fsck the disk for some problems not booting correctly or other issues. By default Ubuntu Server/Desktop should boot with root in Read/Write mode. So this method should not be needed after the problem (any that caused the issue) was solved. – Luis Alvarado Apr 25 '14 at 20:43
Awesome! this worked like a charm.... – basavaraj_S Nov 25 '17 at 05:40
This should have been the accepted answer... For recovery boots the first line is enough, as it is ro. – Alim Özdemir Mar 22 '18 at 19:03
What a great answer, when nothing else was working. – Mote Zart Dec 05 '20 at 20:26
How do you do that when you are not sudoer or have no password for sudo it? – Shrm Dec 19 '23 at 22:36

score 53 · Accepted Answer · edited Oct 29 '16 at 12:06

53

If you insert the wrong passwd

$ passwd
Changing password for rinzwind.
(current) UNIX password: 
passwd: Authentication token manipulation error
passwd: password unchanged

you get this error. If you are sure that you inserted the correct one, this error might also show up if you are using shadowed password files and the shadow doesn’t have an entry for this user (basically/etc/passwd has an entry for this user, but /etc/shadow does not).

In order to fix this, you can either add the entry manually (make a backup first!!!) or recreate the shadow file with pwconv (Manpage).

edited Oct 29 '16 at 12:06

You'reAGitForNotUsingGit

14,809

answered Aug 18 '11 at 14:09

Rinzwind

299,756

1

+1 my passwd/shadow set up was all messed up. Your pwconv hint was a lifesaver! – djhaskin987 Aug 12 '14 at 13:55
1

@djhaskin987 3 years later (minus 6 days). Glad it helped you :D – Rinzwind Aug 12 '14 at 14:14
by me it was the problem, that I was entering very simple passwords like only number. try to use some secure password . – MR.GEWA Jun 01 '17 at 07:14
what a strange error message! – JonnyRaa Sep 26 '17 at 09:16
@Rinzwind I have the second problem. How can I set the entry point? – alhelal Mar 11 '18 at 16:25
@alhelal should be sudo pwconv (?) – Rinzwind Mar 11 '18 at 16:41
@Rinzwind I can't use sudo as system doesn't accept my password. – alhelal Mar 11 '18 at 16:50
@Rinzwind You can see this https://unix.stackexchange.com/questions/429581/how-to-set-entry-point-to-etc-shadow – alhelal Mar 11 '18 at 16:50
of course :-P do it from a live session ;) – Rinzwind Mar 11 '18 at 16:51
@Rinzwind You say sudo pwconv -P from live CD? – alhelal Mar 11 '18 at 16:52
Nope. No need for sudo from live session :) – Rinzwind Mar 11 '18 at 16:53
Let us continue this discussion in chat. – alhelal Mar 11 '18 at 16:53
There is no -P option for pwconv – alhelal Mar 12 '18 at 08:10
So your answer put me on the right track. I checked both shadow locations and noticed I didn't even have a user entry. So I created a new one in each file, just using a plain text password. Then I added a new entry at the /etc/passwd location. Then ran pwconv then ran sudo passwd <user> and it finally worked. Cool. – Longblog Jun 01 '22 at 23:10

score 15 · Answer 3 · edited Jun 05 '15 at 16:22

15

pam-auth-update

fixed my messed /etc/pam.d/common-password

edited Jun 05 '15 at 16:22

A.B.

90,397

answered Jun 05 '15 at 14:50

jouell

299

This was the only thing that solved my issue :)
Thank you so much.
– thedp Aug 19 '16 at 15:27
Aww, yeah. This high-level utility didn't solve the problem, but narrowed it down to "read-only filesystem". From then on - peace of cake. – Vorac Apr 21 '17 at 18:52
works wonders if the pam config was wrong and no login possible anymore. From root grub shell execution of pam-auth-update fixed it. thanks @jouell – sebisnow Apr 21 '20 at 12:31
@sebisnow great to hear! – jouell Apr 22 '20 at 02:09
fixed my issue. 10x – iTayb Sep 27 '20 at 09:03

score 10 · Answer 4 · answered May 08 '13 at 13:30

I'm not sure how it happened. A sudo user created my account then deleted it then created it again.

Here is what I found

mount -o remount,rw /
passwd
passwd: Authentication token manipulation error

No change.

sudo pwck

Showed no errors.

sudo grpck

Showed no errors.

ls -l /etc/passwd /etc/group /etc/shadow /etc/shadow-
-rw-r--r-- 1 root root    767 May  7 16:45 /etc/group
-rw-r--r-- 1 root root   1380 May  7 16:45 /etc/passwd
-rw-r----- 1 root shadow 1025 May  8 09:11 /etc/shadow
-rw------- 1 root root   1025 May  7 16:46 /etc/shadow-

Looks normal.

sudo cat /etc/shadow |grep oracle
oracle:$6$FsPqyplr$DrIvjFDSx0ipHmECMw1AU5hTrbNMnnkGRdFlaQcM.p3Rdu2OLjY20tzUTW61HlFH16cal56rKlLuW4j2mK9D.:15833:0:99999:7:::

Showed user and encrypted password.

sudo cat /etc/shadow- |grep oracle

Showed nothing. Not sure what that means but doesn't look right.

sudo passwd -d oracle
passwd

So the solution was to delete the password then reset new password.

Hope this helps.

score 4 · Answer 5 · answered Apr 14 '14 at 10:14

4

Another problem might be that the disk is full. I got this error when resetting a password, and later checked my disks with df and found that no space is available on my disk. After freeing some I could reset the password without problems.

answered Apr 14 '14 at 10:14

erikbstack

252
5
17

score 4 · Answer 6 · edited Nov 24 '22 at 11:14

4

If you are using SELinux, running this command fixed the issue for me.

restorecon -v /etc/shadow

Thanks to this conversation for the solution.

edited Nov 24 '22 at 11:14

Community

1

answered Aug 23 '14 at 06:39

sffc

291

score 4 · Answer 7 · edited Sep 05 '15 at 09:38

4

This issue occurred due to the incorrect permissions set to /usr/bin/passwd.

Please try to set the permission as 4511 by using the command:

chmod 4511 /usr/bin/passwd

This will resolve the issue.

edited Sep 05 '15 at 09:38

Fabby

34,259

answered Sep 05 '15 at 09:22

Murlo

41

Welcome to Ask Ubuntu! ;-) Could you please review my edits and also review the editing help to improve the readability of your questions in the future... ;-) – Fabby Sep 05 '15 at 09:39

score 2 · Answer 8 · edited Nov 17 '14 at 05:27

2

Check if you have messed up the common-password file in /etc/pam.d/. This will cause errors if your present password does not match the one that common-password wants. In my case this was the reason why I was getting that authentication token error.

edited Nov 17 '14 at 05:27

Fern Moss

8,785

answered Nov 15 '14 at 06:02

Revanth Kumar

141

toto_tico · Answer 9 · 2019-04-04T11:28:26.413

The server I was working on was configured with some sort of Windows Authentication through PowerBroker Identity Server(PBIS).

Basically when I input sudo pam-auth-update, the following options appear:

Unselect the first item of the list using the Space Bar Key to Select/Unselect, and Up/Down arrows if necessary.
Then move to the Ok Option using Tab, and Left/Right arrow keys if necessary.
Press Enter on top of the Ok Option.
After this, I could use passwd and adduser as normal
Once you are done with your user configuration, you can go back to sudo pam-auth-update, and leave the settings as before.

In the general case (i.e. not using the PowerBroker Identity Server(PBIS)), it seems to be important to have the Unix Authentication activated (and no other authentication system).

score 1 · Answer 10 · answered May 08 '12 at 00:10

1

Also, ensure that your entry in /etc/passwd is not mal-formed. If you have the incorrect number of colons in the line for your user entry, the 'passwd' command cannot parse it and refuses to continue with the exact error message provided.

answered May 08 '12 at 00:10

Magellan

100

score 1 · Answer 11 · edited Apr 13 '17 at 12:25

The error says that the PAM module (see: man pam_chauthtok) was unable to obtain the new authentication token. This may happen on Ubuntu when the user doesn't have default password set yet and passwd is still requesting it, so the workaround is to change the password using root privileges, e.g.

sudo passwd $USER

so you won't be asked for the current password and the error won't happen.

See also: Authentication token manipulation error

score 0 · Answer 12 · edited Aug 04 '19 at 08:13

0

In Lubuntu 15.04 I had the same token manipulation error. I figured this is due to the file system still in read only mode.

Using:

mount -o remount,rw /
passwd
passwd: Authentication token manipulation error

This does not work but this does:

mount -o remount, --rw /
passwd
passwd: Authentication token manipulation error

edited Aug 04 '19 at 08:13

galoget

2,963

answered Nov 18 '15 at 16:46

cecil toiletseat

9

score 0 · Answer 13 · answered Apr 07 '17 at 09:13

Using the above info I found that this solved my problem

pam-auth-update

I need to remove extrausers option from pam.

In my logs I noted the following errros.

journalctl -f
passwd[16497]: pam_extrausers(passwd:chauthtok): user "xuser" does not exist in /var/lib/extrausers/passwd

Getting an "Authentication token manipulation" error when trying to change my user password

13 Answers13

Linked

Related