SUMMARY: Why is passwd prompting root for password?

From: John Christian <>
Date: Mon Jan 09 2006 - 08:27:13 EST
SUMMARY: Why is passwd prompting root for password?

Casper Dik, Christopher Barnard, Bill Williams, Wil Deny, Varad Rajan Gil
Gilliland, Andrew Hall, Ric Anderson, John Kennedy, Christiaan Meihsl

This problem was caused by settings in the /etc/pam.conf file. All of the other
hosts I checked appeared to have the same pam.conf except this problem host.
The pam.conf file on this particular host had been replaced by a titan security
hardening script when the host was first installed.

I was able to add the following line to the pam.conf to fix my immediate

   passwd auth required  /usr/lib/security/

...but a new problem was introduced. Although root was no longer prompted for a
password when running the passwd command, a plain user account was now being
prompted twice(!) to enter their existing login password before being allowed
to enter a new one. More reading about pam is now on my to-do list.

Meanwhile, I will schedule a change to this host that simply restores the
/etc/pam.conf to its pre-titan state. Then I will learn more pam details and
perhaps tweak the titan scripts.

-John Christian


Hi gurus,

I have ONE host where the passwd command is prompting root for a password
before it allows you to set a password.

On all other hosts, I can su - to root and issue the passwd command to reset
passwords without being prompted for any passwords. The passwd manpage confirms
this it the correct behavior:

"In the files  case,  super-users  (for  instance,  real  and effective  uid
equal to 0, see id(1M) and su(1M)) may change any password. Hence, passwd does
not prompt privileged users for  the  old  password."

Using my well behaving hosts as a reference, I've tried to find any
differences, but have not found any clues yet.

/usr/bin/passwd binary is same size and date stamp as other hosts.
/etc/default/passwd is identical to other hosts. (content and perms)
/etc/nsswitch.conf is identical to other hosts. (content and perms)
/etc/shadow entries for root are the same except of course for the encrypted
password and the last changed field.
No NIS, NIS+, or LDAP in use or configured to be used.
I su - to become root on all hosts.
The shells and environment varables in use are mostly the same.
The /usr/bin/su command I use to become root is same size and date stamp as
other hosts.

QUESTION: Why is passwd on this one host treating root as a plebian? What else
should I check to determine why passwd is prompting root for a password before
allowing root to set a password?

Thanks for any help or hints on where to look next. Will summarize.


Yahoo! DSL  Something to write home about. 
Just $16.99/mo. or less. 
sunmanagers mailing list
Received on Mon Jan 9 08:27:42 2006

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:54 EST