Getting an "Authentication token manipulation" error when trying to change my user password

  • I am logging in to my Ubuntu Server using my username. Once I am logged in I am typing passwd command. Entering a new password but a second after getting following error messages:

    passwd: Authentication token manipulation error
    passwd: password unchanged

    What is wrong here? How can I change my password otherwise if I don't have access to that server physically, i.e. I am connecting remotely with ssh using terminal.

    The first prompt asks for your CURRENT password. Have you done that, cause if you just typed the new one, you'll get the error message you say..

    i have the same problem, and find the answer from this link try this code: mount -rw -o remount / hope this helpfull..

    @Mubin: That's for an emergency recovery from single-user mode. Since this question is about a logged-in user, we can safely assume it's not a recovery scenario.

    Maybe you logged in with a keypair, and just don't have a password yet? Try to create it: `sudo passwd your_user`

  • Rinzwind

    Rinzwind Correct answer

    9 years ago

    If you insert the wrong passwd

    $ passwd
    Changing password for rinzwind.
    (current) UNIX password: 
    passwd: Authentication token manipulation error
    passwd: password unchanged

    you get this error. If you are sure that you inserted the correct one, this error might also show up if you are using shadowed password files and the shadow doesn’t have an entry for this user (basically/etc/passwd has an entry for this user, but /etc/shadow does not).

    In order to fix this, you can either add the entry manually (make a backup first!!!) or recreate the shadow file with pwconv (Manpage).

    +1 my passwd/shadow set up was all messed up. Your `pwconv` hint was a lifesaver!

    @djhaskin987 3 years later (minus 6 days). Glad it helped you :D

    by me it was the problem, that I was entering very simple passwords like only number. try to use some secure password .

    what a strange error message!

    @Rinzwind I have the second problem. How can I set the entry point?

    @alhelal should be `sudo pwconv` (?)

    @Rinzwind I can't use `sudo` as system doesn't accept my password.

    of course :-P do it from a live session ;)

    @Rinzwind You say `sudo pwconv -P` from live CD?

    Nope. No need for sudo from live session :)

    There is no `-P` option for `pwconv`

  • Do these two things just to make sure:

    mount -o remount,rw /

    This first part remounts the root partition as read/write since it was only in read mode. It actually dismounts the root partition and then mounts it again as read/write.

    Then do this:

    chmod 640 /etc/shadow

    Then do the sudo passwd USER. It should work after that. This part gives the correct permissions to the shadow file.

    This worked for me. Could anyone help me understand what I just did?

    @Stew updated answer to explain better.

    Great, thanks Luis! Should I change the root directory back to Read mode when I finish with this?

    @Stew no. It should stay like Read/Write. This is only when you want to fsck the disk for some problems not booting correctly or other issues. By default Ubuntu Server/Desktop should boot with root in Read/Write mode. So this method should not be needed after the problem (any that caused the issue) was solved.

    Awesome! this worked like a charm....

    This should have been the accepted answer... For recovery boots the first line is enough, as it is ro.

  • pam-auth-update

    fixed my messed /etc/pam.d/common-password

    This was the only thing that solved my issue :) Thank you so much.

    Aww, yeah. This high-level utility didn't solve the problem, but narrowed it down to "read-only filesystem". From then on - peace of cake.

    works wonders if the pam config was wrong and no login possible anymore. From root grub shell execution of pam-auth-update fixed it. thanks @jouell

    @sebisnow great to hear!

  • I'm not sure how it happened. A sudo user created my account then deleted it then created it again.

    Here is what I found

    mount -o remount,rw /
    passwd: Authentication token manipulation error

    No change.

    sudo pwck

    Showed no errors.

    sudo grpck

    Showed no errors.

    ls -l /etc/passwd /etc/group /etc/shadow /etc/shadow-
    -rw-r--r-- 1 root root    767 May  7 16:45 /etc/group
    -rw-r--r-- 1 root root   1380 May  7 16:45 /etc/passwd
    -rw-r----- 1 root shadow 1025 May  8 09:11 /etc/shadow
    -rw------- 1 root root   1025 May  7 16:46 /etc/shadow-

    Looks normal.

    sudo cat /etc/shadow |grep oracle

    Showed user and encrypted password.

    sudo cat /etc/shadow- |grep oracle

    Showed nothing. Not sure what that means but doesn't look right.

    sudo passwd -d oracle

    So the solution was to delete the password then reset new password.

    Hope this helps.

  • Another problem might be that the disk is full. I got this error when resetting a password, and later checked my disks with df and found that no space is available on my disk. After freeing some I could reset the password without problems.

  • If you are using SELinux, running this command fixed the issue for me.

    restorecon -v /etc/shadow

    Thanks to this conversation for the solution.

  • Check if you have messed up the common-password file in /etc/pam.d/. This will cause errors if your present password does not match the one that common-password wants. In my case this was the reason why I was getting that authentication token error.

  • Also, ensure that your entry in /etc/passwd is not mal-formed. If you have the incorrect number of colons in the line for your user entry, the 'passwd' command cannot parse it and refuses to continue with the exact error message provided.

  • This issue occurred due to the incorrect permissions set to /usr/bin/passwd.

    Please try to set the permission as 4511 by using the command:

    chmod 4511 /usr/bin/passwd

    This will resolve the issue.

    Welcome to Ask Ubuntu! **;-)** Could you please review my edits and also review the editing help to improve the readability of your questions in the future... **;-)**

  • The server I was working on was configured with some sort of Windows Authentication through PowerBroker Identity Server(PBIS).

    Basically when I input sudo pam-auth-update, the following options appear:

    Output of <code>sudo pam-auth-update</code>

    1. Unselect the first item of the list using the Space Bar Key to Select/Unselect, and Up/Down arrows if necessary.

    2. Then move to the Ok Option using Tab, and Left/Right arrow keys if necessary.

    3. Press Enter on top of the Ok Option.

    4. After this, I could use passwd and adduser as normal

    5. Once you are done with your user configuration, you can go back to sudo pam-auth-update, and leave the settings as before.

    In the general case (i.e. not using the PowerBroker Identity Server(PBIS)), it seems to be important to have the Unix Authentication activated (and no other authentication system).

License under CC-BY-SA with attribution

Content dated before 6/26/2020 9:53 AM