We use the passwd command in Linux to set or change user account passwords, however, while using it, we may encounter the error: “passwd: Authentication token manipulation error”

As part of our Server Management Services, we assist our customers with several Linux queries.

Today, let us see how to fix this error.

passwd: authentication token manipulation error in Linux

Recently, we had a customer who tried to log in to his CentOS server with the username “bob“. He was trying to change the password using passwd utility. However, within seconds he receives the following error message:

# su - bob
$ passwd bob
Changing password for user bob
Changing password for bob

(current) UNIX password: 
passwd: Authentication token manipulation error

How to fix it?

Moving ahead, let us see the methods our Support Techs suggest in order to fix this.

1. Set Correct PAM Module Settings

A possible cause of the error can be the wrong PAM (Pluggable Authentication Module) settings. It can make the module unable to obtain the new authentication token entered.

We can find the various settings for PAM in /etc/pam.d/.

$ ls -l /etc/pam.d/

-rw-r--r-- 1 root root 142 Mar 23  2017 abrt-cli-root
-rw-r--r-- 1 root root 272 Mar 22  2017 atd
-rw-r--r-- 1 root root 192 Jan 26 07:41 chfn
-rw-r--r-- 1 root root 192 Jan 26 07:41 chsh
-rw-r--r-- 1 root root 232 Mar 22  2017 config-util
-rw-r--r-- 1 root root 293 Aug 23  2016 crond
-rw-r--r-- 1 root root 115 Nov 11  2010 eject
lrwxrwxrwx 1 root root  19 Apr 12  2012 fingerprint-auth -> fingerprint-auth-ac
-rw-r--r-- 1 root root 659 Apr 10  2012 fingerprint-auth-ac
-rw-r--r-- 1 root root 147 Oct  5  2009 halt
-rw-r--r-- 1 root root 728 Jan 26 07:41 login
-rw-r--r-- 1 root root 172 Nov 18  2016 newrole
-rw-r--r-- 1 root root 154 Mar 22  2017 other
-rw-r--r-- 1 root root 146 Nov 23  2015 passwd
lrwxrwxrwx 1 root root  16 Apr 12  2012 password-auth -> password-auth-ac
-rw-r--r-- 1 root root 896 Apr 10  2012 password-auth-ac

For instance, a misconfigured /etc/pam.d/common-password file can result in this error.

We can fix this issue by running the pam-auth-update command with root privileges:

$ sudo pam-auth-update

2. Set Correct Permissions on Shadow File

/etc/shadow file stores actual passwords for user accounts in an encrypted format. Wrong permission in this file can also cause the error.

To check the permissions on this file, we run:

$ ls -l  /etc/shadow

Then to set the correct permissions on it, we use the chmod command:

$ sudo chmod 0640 /etc/shadow

3. Remount Root Partition

We might also see this error if the / partition is mounted as read-only. This means no file can modify. Thus we cannot set or change a user’s password.

To fix this error, we need to mount the root partition as read/write:

$ sudo mount -o remount,rw /

4. Free Up Disk Space

Suppose, our disk is full. In such a case, we cannot modify any file on the disk especially when the file’s size is meant to increase. This may eventually cause the error.

Here, we can try to remove any unwanted files so that there is no issue of lack of space.

In order to make the space, it is easier if we use tools like FSlint or BleachBit. They can help us to identify unwanted files and clean up the disk thus providing more space.

4. Reboot System

Another possible method is to try and reboot the system. This may fix the issue in some cases.

We can do this using:

$ sudo reboot

5. Repair and Fix Filesystem Errors

If none of the above methods work, we can try this method.

Minor storage drive or filesystem errors can also cause the error in question. Linux disk scanning tools such as fsck can fix such errors.

However, our Support Techs recommend trying out fsck commands on test Linux servers with the help of system administrators or if we are pretty much experienced with fsck and it works.

We must always keep in mind to unmount a partition before we run fsck on it.

[Need help with the procedures? We can help you]

Conclusion:

In short, passwd: authentication token manipulation error in Linux occurs when we try to change the password via the passwd command. Today, we saw how our Support Techs fix this error.