passwd: pam_chauthtok(): conversation failure Error and Solutions

Posted on in Categories , , , last updated October 4, 2013

I am trying to change my Unix / Linux user account password using the passwd command. But, I am getting the following error:

passwd: pam_chauthtok(): conversation failure

OR

passwd: pam_chauthtok(): error in service module

How do I fix this problem on Unix like operating systems?

To fix this problem try any one of the following solutions:

#1: Make sure file system is mounted in read & write mode

Make sure your file system (/ file system) is mounted in read and write mode. Type the mount command to see the current file system status. If file system is mounted on read-only system, try to remount file in read and write mode on Linux operating system and FreeBSD operating system for more information.

#2: Pass the -t option if you are changing password using ssh

If you are using ssh as follows:
ssh [email protected] passwd
Try passing the -t option:
ssh -t [email protected] passwd

#3: Check SSD or hard disk drive for error

Run fsck on your hard disk. See fsck command tutorials for more info:

  1. Repairing Linux ext2 or ext3 or ext4 File System [ fsck ]
  2. What command do you run to check file system consistency under UNIX or Linux?

#4: Make sure you do not have multiple entries in shardow/passwd/master.passwd file

Check your Linux/Unix encrypted password file and make sure you do not have multiple entries for the same user in /etc/shadow (Linux), /etc/master.passwd (FreeBSD), /etc/passwd (Older version of Linux/Unix).

#5: Check encrypted password file permissions

Make sure permission for the following files are correct using the ls -l command:

  1. /etc/passwd
  2. /etc/shadow
  3. /etc/group
  4. /etc/master.passwd (FreeBSD)

A typical file permission on Linux looks as follows:

ls -l /etc/{passwd,shadow,group}

Sample outputs:

-rw-r--r-- 1 root root    618 Aug 26 21:17 /etc/group
-rw-r--r-- 1 root root   1049 Aug 26 21:17 /etc/passwd
-rw-r----- 1 root shadow  869 Oct  1 15:25 /etc/shadow

Use the chmod and chown command to set correct file permissions.

#6: Make sure encrypted password file not protected by extended file system permissions

Linux and Unix like systems offers file write protection feature. A root user will set special bit call immutable on /etc/shadow or /etc/master.passwd file. Once this bit is setup no one can delete or modify file including root. And only root can clear the File immutable bit. To list file attributes on a Linux type:

lsattr /etc/{passwd,shadow,group}

Sample outputs:

-------------e-- /etc/passwd
-------------e-- /etc/shadow
-------------e-- /etc/group

See how to set/clear/remove immutable bit on a Linux based system and FreeBSD based systems for more information.

#7: Make sure there are no other authorization errors in log file

Check your system log files for any other errors.

#8: Check the contents of /etc/pam.d/

Check the contents of /etc/pam.d/ directory and make sure they are unchanged. You can compare the contents of /etc/pam.d/ directory to another systems /etc/pam.d/ directory.

#9: Make sure encrypted password file is not corrupted

Make sure /etc/shadow (Linux) or /etc/master.passwd (FreeBSD) file is not corrupted. Use the pwck command on Linux to check file integrity. Use pwd_mkdb command on FreeBSD to rebuild /etc/master.passwd file.

See also

See the following man pages for more information:

  • Linux man pages: passwd(5),shadow(5), passwd(1), pam.conf(5), pwck(8), pwconv(8), pwunconv(8)
  • FreeBSD man pages: passwd(5),shadow(5), passwd(1), pwd_mkdb(8)

Posted by: Vivek Gite

The author is the creator of nixCraft and a seasoned sysadmin and a trainer for the Linux operating system/Unix shell scripting. He has worked with global clients and in various industries, including IT, education, defense and space research, and the nonprofit sector. Follow him on Twitter, Facebook, Google+.

Share this on:

Leave a Comment

Tagged as: Tags