All Products
Search

This Product

    Elastic Compute Service:What do I do when I cannot change the password of a Linux instance and the "passwd: Module is unknown" error message appears?

    Document Center

    Elastic Compute Service:What do I do when I cannot change the password of a Linux instance and the "passwd: Module is unknown" error message appears?

    Last Updated:Feb 17, 2025

    When you run the passwd command to change the password of a Linux Elastic Compute Service (ECS) instance, the passwd: Module is unknown and passwd: password unchanged error messages appear and the password fails to be changed. In most cases, the preceding issue occurs because exceptions occur in the Pluggable Authentication Modules (PAM) configurations related to password management or specific required PAM modules are missing or incorrectly configured. PAM is a suite of modules in Linux used for authentication and authorization.

    Problem description

    Symptom 1: You cannot change the password of the Linux ECS instance by using the passwd command. The following error messages appear:

    passwd: Module is unknown
passwd: password unchanged

    Symptom 2: You cannot reset the password of the Linux ECS instance by using Cloud Assistant. The following error messages appear.

    image

    Possible causes

    1. PAM modules are not installed or missing. A required PAM module such as pam_unix.so or pam_pwquality.so is missing, or the file of a required PAM module is accidentally deleted or damaged.

    2. The PAM configuration file contains errors. The PAM configuration file in the /etc/pam.d/ directory, such as the common-password or system-auth file, references a module that does not exist, or contains incorrect parameters or module paths.

    3. Password policies are incorrectly configured. The /etc/security/pwquality.conf file is incorrectly configured. As a result, the pam_pwquality.so module does not work as expected.

    Solution

    Step 1: Check whether the pam_unix.so module exists

    1. Connect to the Linux ECS instance.

      For more information, see Use Workbench to connect to a Linux instance over SSH.

    2. Check whether the pam_unix.so module exists. 

      sudo find / -name "pam_unix.so"
      Note

      • If the pam_unix.so module exists, check the configuration of the pam_pwquality.so module.

      • If the pam_unix.so module does not exist, the corresponding library file may be damaged or the PAM package may not be installed. Re-install the PAM package. pam_unix.so is a core PAM module that provides user management and password management services.

    3. Re-install the PAM package.

      • Ubuntu or Debian

        sudo apt-get update
sudo apt-get install --reinstall libpam-modules

      • CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

        sudo yum reinstall pam

    4. Check whether the pam_unix.so module exists. 

      sudo find / -name "pam_unix.so"

    Step 2: Check the pam_pwquality.so module configuration

    The pam_pwquality.so module checks the strength of passwords, including the character types of passwords and whether passwords meet the minimum length requirement. If the pam_pwquality.so module is enabled on the Linux ECS instance, you must meet the password complexity requirements of the module when you change the password of the instance.

    1. Check system logs for error messages related to the pam_pwquality.so module, such as the Module is unknown and pam_chauthtok() failed error messages.

      • Ubuntu or Debian

        sudo tail -f /var/log/auth.log

      • CentOS, RHEL, or Alibaba Cloud Linux

        sudo tail -f /var/log/secure
        Note

        The following error messages appear:

        PAM unable to dlopen(pam_puquality.so): /lib/security/pam_puquality.so: cannot open shared object file: No such file or directory
PAM adding faulty module: pam_puquality.so

        System logs indicate that the pam_pwquality.so module cannot be loaded because the pam_pwquality.so module is not installed or not installed in the correct directory.

    2. Check whether the pam_pwquality.so module is installed. 

      sudo find / -name "pam_pwquality.so"

      The following command output indicates that the module is installed: 

      /usr/lib/x86_64-linux-gnu/security/pam_pwquality.so

    3. If the pam_pwquality.so module is installed, perform the following steps:

      1. Check whether the PAM configuration file, such as the /etc/pam.d/common-password or /etc/pam.d/system-auth file, correctly references the pam_pwquality.so module.

        Ubuntu or Debian

        1. Check the content of the /etc/pam.d/common-password file. 

          sudo cat /etc/pam.d/common-password | grep -v "#"

        2. Make sure that the following lines exist in the file and are correct:

          password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

        3. If any of the preceding lines are incorrect, correct the lines in the /etc/pam.d/common-password file. 

          sudo vi /etc/pam.d/common-password

          Add or modify the following line:

          password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

          Save and close the file.

        CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

        1. Check the content of the /etc/pam.d/system-auth file. 

          sudo cat /etc/pam.d/system-auth | grep -v "#"

          Make sure that the following lines exist in the file and are correct:

          password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   required     pam_deny.so
password   requisite    pam_pwquality.so try_first_pass local_users_only retry=3

        2. If any of the preceding linese are incorrect, correct the lines in the /etc/pam.d/system-auth file. 

          sudo vi /etc/pam.d/system-auth

          Add or modify the following line:

          password requisite pam_pwquality.so try_first_pass local_users_only retry=3

          Save and close the file.

      2. Check the content of the /etc/security/pwquality.conf file. 

        sudo cat /etc/security/pwquality.conf

        Make sure that the following lines exist in the file and are correct:

        minlen = 10
minclass = 3
retry = 3
        Note

        • minlen = 10: The minimum password length is 10 characters.

        • minclass = 3: The password must contain at least three of the following types of characters: uppercase letters, lowercase letters, digits, and special characters.

        • retry = 3: Up to three password retries are allowed.

    4. If the pam_pwquality.so module is not installed, perform the following steps:

      Note

      • If you do not require password complexity checking, such as checking the length and character types of passwords, comment out or delete the lines related to the pam_pwquality.so module in the /etc/pam.d/common-password file.

      • If you require password complexity checking, install the libpam-pwquality package.

      Check whether the PAM configuration file references the pam_pwquality.so module.

      Ubuntu or Debian

      Check the /etc/pam.d/common-password file.

      sudo cat /etc/pam.d/common-password | grep "pam_pwquality.so"

      The following command output indicates that the pam_pwquality.so module is referenced by the PAM configuration file:

      password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

      Check the /etc/pam.d/system-auth file.

      sudo cat /etc/pam.d/system-auth | grep "pam_pwquality.so"

      The following command output indicates that the pam_pwquality.so module is referenced by the PAM configuration file:

      password requisite pam_pwquality.so try_first_pass local_users_only retry=3

      If the pam_pwquality.so module is not installed but is referenced, use one of the following methods to resolve the issue:

      Method 1: Install the pam_pwquality.so module

      1. Install the pam_pwquality.so module.

        • Ubuntu or Debian

          sudo apt-get update
sudo apt-get install libpam-pwquality

        • CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

          sudo yum install pam_pwquality

      2. Check whether the pam_pwquality.so module exits. 

        sudo find / -name "pam_pwquality.so"

      Method 2: Comment out the pam_pwquality.so-related configuration (This method is a workaround and is not recommended)

      If you cannot immediately resolve the issue, you can comment out the pam_pwquality.so line to bypass password complexity checking.

      1. Open the PAM configuration file.

        • Ubuntu or Debian

          sudo vi /etc/pam.d/common-password

        • CentOS, RHEL, or Alibaba Cloud Linux

          sudo vi /etc/pam.d/system-auth

      2. Find the following line: 

        password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      3. Add a number sign (#) before the line to comment out the line. 

        # password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      4. Save and close the file.

      Important

      • After you comment out the line that contains pam_pwquality.so, the system no longer enforces password complexity checking, which may reduce security. We recommend that you disable password complexity checking only in testing or special scenarios.

      • If you want to re-enable password complexity checking, uncomment the line that contains pam_pwquality.so and ensure that the rules in the /etc/security/pwquality.conf file are correct.

    Step 3: Check whether you can change the password of the Linux ECS instance

    1. Change the password of the Linux ECS instance. 

      passwd

    2. If the password still fails to be changed or other error messages appear, submit a ticket to contact Alibaba Cloud technical support.