Linux password modification is a solution to the problem of prompting "passwd: identifying token operation errors"

Posted by andrewmcgibbon on Sat, 18 May 2019 17:56:05 +0200

This morning, I suddenly wanted to change the password of an ordinary user. When root logged in and typed in the password command, I found that it prompted "passwd: authentication token operation error".

[root@Geeklp-Administrator ~]# passwd Geeklp
 Change user Geeklp's password.
New password:
Invalid password: password less than 7 characters
 Re-enter the new password:
passwd: Identify token operation errors

The hidden attributes of / etc/passwd were checked and no exception was found. Suddenly it occurred to me that I typed the pwunconv command in my experiment last week. It may be the problem caused by this command. So I re-typed the pwconv command and executed the password modification again. The operation was successful!
The / etc/passwd directory before the operation:

[root@Geeklp-Administrator ~]# cat /etc/passwd
root:$6$W2B2u9mW/343Cwol$o8uxim3sGBVwPP//ktUv0TpZI4spD6nDlka/.8g9r99LidrhgTUiG8f3T/S71ZFlWZ4CbxRL2MOJZeh94Nf4R/:0:0:root:/root:/bin/bash
bin:*:1:1:bin:/bin:/sbin/nologin
daemon:*:2:2:daemon:/sbin:/sbin/nologin
adm:*:3:4:adm:/var/adm:/sbin/nologin
lp:*:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:*:5:0:sync:/sbin:/bin/sync
shutdown:*:6:0:shutdown:/sbin:/sbin/shutdown
halt:*:7:0:halt:/sbin:/sbin/halt
mail:*:8:12:mail:/var/spool/mail:/sbin/nologin
operator:*:11:0:operator:/root:/sbin/nologin
games:*:12:100:games:/usr/games:/sbin/nologin
ftp:*:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:*:99:99:Nobody:/:/sbin/nologin
systemd-network:!!:192:192:systemd Network Management:/:/sbin/nologin
dbus:!!:81:81:System message bus:/:/sbin/nologin
polkitd:!!:999:997:User for polkitd:/:/sbin/nologin
postfix:!!:89:89::/var/spool/postfix:/sbin/nologin
chrony:!!:998:996::/var/lib/chrony:/sbin/nologin
sshd:!!:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Geeklp:$6$WkX08HPX$L/FdYUT5cNaTTP9AJOWz5rSVKqwS3cSVOg6HXWOR2blkLCA9Vbd.raEdSR4ErgC2pcIHPA1HGj.5kj49k.aCs/:1000:1000::/home/Geeklp:/bin/bash

The / etc/passwd directory after the operation:

[root@Geeklp-Administrator ~]# pwconv 
[root@Geeklp-Administrator ~]# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:997:User for polkitd:/:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
Geeklp:x:1000:1000::/home/Geeklp:/bin/bash

Preliminary observation shows that there are obvious differences in passwords, which is due to the use of pwunconv and pwconv.
The pwconv command is used to open the user's projection password. User and group passwords in the Linux system are stored in files named passwd and group, which are located in the / etc directory. Because of the system operation needs, anyone can read them, resulting in security flaws. Projection password changes the passwords in files into shadow and gshadow files in / etc directory, only allowing system administrators to read them, while replacing the original password with "x" character, which effectively strengthens the security of the system.
The pwunconv command, contrary to the pwconv function, is used to turn off the user's projection password. It will save the password back from the shadow file to the passwd file. This method reduces the security of the system. Anyone can read the content of passwd, and only root users can read and write the shadow file.

Topics: ftp network DBus ssh