[CentOS] Authentication Problems

Wed Feb 16 12:34:08 UTC 2011
Nico Kadel-Garcia <nkadel at gmail.com>

On Wed, Feb 16, 2011 at 7:28 AM, James Bensley <jwbensley at gmail.com> wrote:
> Hi List,
>
> We have a CentOS VPS running a web site in a DC far away. The chap that
> dev's this site told me he couldn't SFTP in yesterday, his password was
> being rejected (I went to his desk to confirm and saw it was telling him the
> password was incorrect but neither him nor me had changed it and we are the
> only two with access to this VPS). So I logged in as root and reset his
> password, be he still couldn't log in (same problem, claiming the password
> was wrong).
>
> [root at server ~]# passwd webdevuser
> Changing password for user webdevuser.
> New UNIX password:
> Retype new UNIX password:
> passwd: all authentication tokens updates successfully.
>
> I tried to SSH in as the web dev user and it wouldn't let me in. Returning
> back to my root console window;
>
> [root at server ~]# su - webdevuser
> [webdevuser at server ~]# passwd
> Changing password for user webdevuser.
> Changing password for webdevuser.
> (current) UNIX password:
> passwd: Authentication token manipulation error
>
> Firstly; I am stracthing my head as to why his password was no longer
> working in the first place?
>
> Secondly; Why I can't reset it?
>
> Googling around many people suggest there is a discrepancy between the
> /etc/passwd and /etc/shadow files and by deleting /etc/shadow and using
> pwconv to recreate shadow and the same for /etc/groups, deleting gshadow
> recreating it with grpconv will solve the problem but I still can't login as
> the web dev user.
>
> Any ideas anyone?

Uh-oh. Has your developer, or you, been editing the /etc/passwd,
/etc/shadow, /etc/group, or /etc/gshadow files manually? And do you
use NIS or LDAP for authentication? And this is a publicly exposed
webserver, right? How fast can you rebuild it if it's been rootkitted?

Check the /etc/shadow and /etc/group for consistent numbers of
entries, and /etc/group and /etc/gshadow. Do you have other users who
can still log in or not?