On Wed, Feb 16, 2011 at 7:28 AM, James Bensley <jwbensley at gmail.com> wrote: > Hi List, > > We have a CentOS VPS running a web site in a DC far away. The chap that > dev's this site told me he couldn't SFTP in yesterday, his password was > being rejected (I went to his desk to confirm and saw it was telling him the > password was incorrect but neither him nor me had changed it and we are the > only two with access to this VPS). So I logged in as root and reset his > password, be he still couldn't log in (same problem, claiming the password > was wrong). > > [root at server ~]# passwd webdevuser > Changing password for user webdevuser. > New UNIX password: > Retype new UNIX password: > passwd: all authentication tokens updates successfully. > > I tried to SSH in as the web dev user and it wouldn't let me in. Returning > back to my root console window; > > [root at server ~]# su - webdevuser > [webdevuser at server ~]# passwd > Changing password for user webdevuser. > Changing password for webdevuser. > (current) UNIX password: > passwd: Authentication token manipulation error > > Firstly; I am stracthing my head as to why his password was no longer > working in the first place? > > Secondly; Why I can't reset it? > > Googling around many people suggest there is a discrepancy between the > /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using > pwconv to recreate shadow and the same for /etc/groups, deleting gshadow > recreating it with grpconv will solve the problem but I still can't login as > the web dev user. > > Any ideas anyone? Uh-oh. Has your developer, or you, been editing the /etc/passwd, /etc/shadow, /etc/group, or /etc/gshadow files manually? And do you use NIS or LDAP for authentication? And this is a publicly exposed webserver, right? How fast can you rebuild it if it's been rootkitted? Check the /etc/shadow and /etc/group for consistent numbers of entries, and /etc/group and /etc/gshadow. Do you have other users who can still log in or not?