7

As the root user, I can change the password:

hussie:/home/claudiu# passwd
Enter new password:
Retype new password:
passwd: password updated successfully

As a non-root user I cannot:

claudiu@hussie:~$ passwd
Current Kerberos password:
passwd: User not known to the underlying authentication module
passwd: password unchanged

I also can't change another user's password from root:

hussie:/home/claudiu# passwd claudiu
Current Kerberos password:
passwd: User not known to the underlying authentication module
passwd: password unchanged

Googling the issue suggests using pwconv and pwunconv, but I don't have those and don't know where to find them:

claudiu@hussie:~$ pwconv
-bash: pwconv: command not found
claudiu@hussie:~$ pwunconv
-bash: pwunconv: command not found
claudiu@hussie:~$ sudo apt-get install pwconv
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package pwconv
claudiu@hussie:~$ sudo apt-get install pwunconv
Reading package lists... Done
Building dependency tree
Reading state information... Done
E: Unable to locate package pwunconv

What do I do?

thinice
  • 4,676
  • 20
  • 38
Claudiu
  • 1,157
  • 5
  • 18
  • 27
  • 3
    Dude, If this is on that compromised system, then you need to nuke it. It is too late to mess around with passwords. – Zoredache Dec 12 '11 at 16:55
  • @Zoredache: it is, and i will, but i can't disconnect it from the internet (renting the server, don't have it physically) so I at least want to change the passwords for now. – Claudiu Dec 12 '11 at 16:56
  • If what Zordache says is true (the system is compromise) - and there's kerberos setup, look for the kerberos pam config file to find out where the hell it's pointing ... – thinice Dec 12 '11 at 17:14
  • You realise that one of the first things a hacker will do is replace passwd with a trojanized version? Even if you do change he password there are most certainly backdoors. Anyway, you could just edit the passwd/shadow files directly. It probably will not help though. – Zoredache Dec 12 '11 at 17:26
  • I think using krb5 was their way of 'trojanizing' the passwd; doing it this way is actually smarter from their perspective. – thinice Dec 12 '11 at 17:37

2 Answers2

13

Run "pam-auth-update"

It'll prompt.

Debian has been really annoying and added kerberos by default during apt-get upgrade(s).

Stephen
  • 229
  • 2
  • 3
5

You have another authentication method (kerberos) in use than a standard linux account - chances are the pam module is unable to write/update passwords. Doing so from root confuses the module because root is truly a local account and not in the other service's user list.

Look for some hints to what pam modules are in use look in /etc/pam.conf and in the dir: /etc/pam.d - /etc/nsswitch.conf may also provide hints, but debian uses compat which doesn't really help in specifying what is in use obviously.

If kerberos is indeed in use, you can't update the password using passwd

thinice
  • 4,676
  • 20
  • 38
  • `pam.conf` is empty, and `/etc/pam.d/passwd/` just uses the `common-password` file, which has: `pam_krb5.so minimum_uid=1000` as the first line, the next one being `pam_unix.so obscure use_authtok try_first_pass sha512`. where do I go from here? (Note this is how the system was installed, i didn't modify anything - could never change the user passwd) – Claudiu Dec 12 '11 at 17:05
  • How about `/etc/pam.d/common-auth` (Possibly `/etc/pamd.d/common-account` as well) ? – thinice Dec 12 '11 at 17:07
  • 1
    Ah, ok, you've got pam_krb5 enabled (kerberos) which correlates directly with the error message. This server is setup to use kerberos authentication - which is completely key based - so you're really not going to change the password from the 'passwd' command but update the key pair with the kerberos server – thinice Dec 12 '11 at 17:11
  • 1
    -UNLESS- kerberos is completely irrelevant and there's absolutely no way it should be in use, then just rem that line out - but you'd better be damn sure you can get in with a standard linux account and change that file if something goes wrong ;) – thinice Dec 12 '11 at 17:12
  • hmm i have no `kpasswd` command or `/usr/krb5` directory.. is that a safe bet it is irrelevant? – Claudiu Dec 12 '11 at 17:20
  • 3
    ah great, i used `pam-auth-update` command and disabled Kerberos authentication, and now `passwd` works. thanks very much!! – Claudiu Dec 12 '11 at 17:26
  • Switch off kerberos, run `passwd` then switch kerberos back on again as described [here](https://serverfault.com/a/549601/423383) – cardamom Nov 19 '18 at 14:41