Troubleshoot the 'passwd: Module is unknown' error on a Linux ECS instance

更新时间:
复制 MD 格式

When you use the passwd command to change the password of a Linux ECS instance, you may receive the passwd: Module is unknown and passwd: password unchanged errors. These errors typically indicate a problem with the Pluggable Authentication Modules (PAM) configuration, such as a missing or misconfigured PAM module. PAM is a framework that Linux systems use to manage user authentication.

Symptoms

The passwd command fails, and the following message is returned:

passwd: Module is unknown
passwd: password unchanged

An attempt to reset the instance password online by using Cloud Assistant fails, and the following message is returned:

Key pair [t-zjk5191zbypjytc] has been removed
chpasswd: (user root) pam_chauthtok() failed, error:
Module is unknown
chpasswd: (line 1, user root) password not changed
Password reset failed.

Possible causes

  1. PAM module not installed or missing: A required PAM module, such as pam_unix.so or pam_pwquality.so, is missing, deleted, or corrupted.

  2. Incorrect PAM configuration file: A PAM configuration file in the /etc/pam.d/ directory, such as common-password or system-auth, references a nonexistent module or contains an incorrect module path or parameters.

  3. Incorrect password policy configuration: The /etc/security/pwquality.conf file is misconfigured, which prevents the pam_pwquality.so module from working correctly.

Solution

Step 1: Check pam_unix.so

  1. Connect to your Linux instance.

    For more information, see Log on to a Linux instance by using Workbench.

  2. Check if the pam_unix.so module exists:

    sudo find / -name "pam_unix.so"
    Note
    • If pam_unix.so exists, proceed to Step 2: Check the pam_pwquality.so configuration.

    • If pam_unix.so does not exist, its parent package may be missing or the system library files may be corrupted. Reinstall the PAM package. The pam_unix.so module is a core PAM module that handles basic user authentication and password management.

  3. Reinstall the required PAM package.

    • Ubuntu/Debian

      sudo apt-get update
      sudo apt-get install --reinstall libpam-modules
    • CentOS/RHEL/Alibaba Cloud Linux

      sudo yum reinstall pam
  4. Run the following command again to verify that pam_unix.so exists.

    sudo find / -name "pam_unix.so"

Step 2: Check the pam_pwquality.so configuration

The pam_pwquality.so module is used to enhance password complexity checks, such as minimum length and character types. If pam_pwquality.so is enabled on the system, users must meet its defined complexity rules when changing their passwords.

  1. Check the system log for error messages related to pam_pwquality.so, such as Module is unknown or pam_chauthtok() failed.

    • Ubuntu/Debian:

      sudo tail -f /var/log/auth.log
    • CentOS/RHEL/Alibaba Cloud Linux:

      sudo tail -f /var/log/secure
      Note

      For example, the following error message may be returned:

      PAM unable to dlopen(pam_puquality.so): /lib/security/pam_puquality.so: cannot open shared object file: No such file or directory
      PAM adding faulty module: pam_puquality.so

      The log shows that the system failed to load the pam_pwquality.so module. This may be because the pam_pwquality.so module is not installed or the installation path is incorrect.

  2. Run the following command to check if pam_pwquality.so is installed.

    sudo find / -name "pam_pwquality.so"

    If the output resembles the following, the module is installed.

    /usr/lib/x86_64-linux-gnu/security/pam_pwquality.so
  3. If pam_pwquality.so is installed:

    1. Verify that the PAM configuration file (such as /etc/pam.d/common-password or /etc/pam.d/system-auth) correctly references pam_pwquality.so.

      Ubuntu/Debian

      1. Run the following command to check the content of the /etc/pam.d/common-password file.

        sudo cat /etc/pam.d/common-password | grep -v "#"
      2. Verify that the following lines exist and are correct:

        password [success=1 default=ignore] pam_unix.so obscure sha512
        password requisite pam_deny.so
        password required pam_permit.so
        password requisite pam_pwquality.so retry=3 minlen=10 minclass=3
      3. If the configuration is incorrect, edit the /etc/pam.d/common-password file.

        sudo vi /etc/pam.d/common-password

        Add or update the following line:

        password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

        Save and exit the file.

      CentOS/RHEL/Alibaba Cloud Linux

      1. Run the following command to check the content of the /etc/pam.d/system-auth file.

        sudo cat /etc/pam.d/system-auth | grep -v "#"

        Verify that the following lines exist and are correct:

        password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
        password   required     pam_deny.so
        password   requisite    pam_pwquality.so try_first_pass local_users_only retry=3
      2. If the configuration is incorrect, edit the /etc/pam.d/system-auth file.

        sudo vi /etc/pam.d/system-auth

        Add or update the following line:

        password requisite pam_pwquality.so try_first_pass local_users_only retry=3

        Save and exit the file.

    2. Run the following command to check the content of the /etc/security/pwquality.conf file.

      sudo cat /etc/security/pwquality.conf

      Verify that the following settings exist and are correct:

      minlen = 10
      minclass = 3
      retry = 3
      Note
      • minlen = 10: The minimum password length is 10 characters.

      • minclass = 3: The password must contain characters from at least three character classes (lowercase letters, uppercase letters, digits, and special characters).

      • retry = 3: Users are allowed three attempts to enter a valid password.

  4. If pam_pwquality.so is not installed:

    Note
    • If you do not need to enforce password complexity checks (such as password length and character types), you can comment out or delete the lines related to pam_pwquality.so in the /etc/pam.d/common-password file.

    • If you need to enforce password complexity checks, you must install libpam-pwquality.

    Check if the PAM configuration file references pam_pwquality.so.

    Ubuntu/Debian

    Run the following command to check the /etc/pam.d/common-password file:

    sudo cat /etc/pam.d/common-password | grep "pam_pwquality.so"

    If the output resembles the following, pam_pwquality.so is referenced:

    password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

    CentOS/RHEL/Alibaba Cloud Linux

    Run the following command to check the /etc/pam.d/system-auth file:

    sudo cat /etc/pam.d/system-auth | grep "pam_pwquality.so"

    If the output resembles the following, pam_pwquality.so is referenced:

    password requisite pam_pwquality.so try_first_pass local_users_only retry=3

    If pam_pwquality.so is referenced but not installed, choose one of the following methods:

    Method 1: Install pam_pwquality.so

    1. Run the appropriate command to install the pam_pwquality.so module.

      • Ubuntu/Debian

        sudo apt-get update
        sudo apt-get install libpam-pwquality
      • CentOS/RHEL/Alibaba Cloud Linux

        sudo yum install pam_pwquality
    2. After the installation is complete, run the following command again to verify that pam_pwquality.so exists.

      sudo find / -name "pam_pwquality.so"

    Method 2: Comment out the pam_pwquality.so-related configuration (workaround)

    If you cannot immediately resolve the issue, you can temporarily comment out the pam_pwquality.so line to bypass password complexity checks.

    1. Open the PAM configuration file.

      • Ubuntu/Debian:

        sudo vi /etc/pam.d/common-password
      • CentOS/RHEL/Alibaba Cloud Linux:

        sudo vi /etc/pam.d/system-auth
    2. Find the following line.

      password requisite pam_pwquality.so retry=3 minlen=10 minclass=3
    3. Add a number sign (#) at the beginning of the line to comment it out.

      # password requisite pam_pwquality.so retry=3 minlen=10 minclass=3
    4. Save and exit the file.

    Important
    • Commenting out pam_pwquality.so disables password complexity rules, which can reduce system security. We recommend that you disable this check only in test environments or for specific use cases.

    • To re-enable password complexity checking, uncomment the pam_pwquality.so line and make sure that the rules in the /etc/security/pwquality.conf file are correct.

Step 3: Verify the fix

Try changing the password again to verify the fix.

passwd