Monday, 19 August 2013

Corruption with User Password History File


The below errors occur when changing password for users:
3004-622 An error occurred updating the password database.
3004-709 Error changing password for : Value is invalid.


Corruption with user password history file occurs due to various reasons and
causes users and administrators NOT to allow a change to user passwords.



The pwdhist File Purpose is to maintain password history information.


The /etc/security/pwdhist.dir and /etc/security/pwdhist.pag files are database files created and maintained by Database Manager (DBM) subroutines. The files maintain a list of previous user passwords.

The pwdhist files store information by user names. User names are the keys of the DBM subroutines. The password list contains multiple pairs of a lastupdatevalue and an encrypted, null-terminated password. This password lists key's associated content and the lastupdate value is a 4-byte, unsigned long. The encrypted password is the size of the PW_CRYPTLEN value.

Thus, an entry in the database file is of the following format:
last update password last update password last update password...

The password list is in descending chronological order, with the most recent password appearing first in the list.

Resolving the password history corruption problem:

Backup password history files:
cd to /etc/security
cp pwdhist.dir pwdhist.dir.bak
cp pwdhist.pag pwdhist.pag.bak

Zero-out the two original files:
> pwdhist.dir
> pwdhist.pag

Attempt to change the user password:

This will allow a change to the users password, however does not log any information to the history files (they will still be zero bytes until a password change is done again).

0 blogger-disqus:

Post a Comment