All Products
Search

This Product

    Elastic Compute Service:Password change fails on a Linux ECS instance with 'passwd: Module is unknown' error

    Document Center

    Elastic Compute Service:Password change fails on a Linux ECS instance with 'passwd: Module is unknown' error

    Last Updated:Aug 22, 2025

    When you use the passwd command to change the password of a Linux ECS instance, you might receive the passwd: Module is unknown and passwd: password unchanged error messages. This failure typically indicates a problem with the Pluggable Authentication Modules (PAM) configuration. This can happen if necessary PAM modules are missing or incorrectly configured. PAM is a framework of modules in Linux used to manage user authentication.

    Problem description

    Symptom 1: You cannot change the password of a Linux ECS instance using the passwd command. The following error message is returned:

    passwd: Module is unknown
passwd: password unchanged

    Symptom 2: You cannot reset the password of the Linux ECS instance using Cloud Assistant. The following error messages appear.

    image

    Possible causes

    1. PAM modules are not installed or are missing: A required PAM module, such as pam_unix.so or pam_pwquality.so, is missing. This can happen if the module file was accidentally deleted or is corrupted.

    2. PAM configuration file errors: A configuration file in the /etc/pam.d/ folder, such as common-password or system-auth, references a module that does not exist. This can also happen if the module path or parameters in the configuration file are incorrect.

    3. Password policy configuration issues: The /etc/security/pwquality.conf file is configured incorrectly. This causes the pam_pwquality.so module to fail.

    Solution

    Step 1: Check if the pam_unix.so module exists

    1. Connect to the Linux ECS instance.

      For more information, see Use Workbench to connect to a Linux instance over SSH.

    2. Run the following command to check whether the pam_unix.so module exists.

      sudo find / -name "pam_unix.so"
      Note

      • If pam_unix.so exists, proceed to Check the pam_pwquality.so module configuration.

      • If pam_unix.so does not exist, the system library file might be damaged or the PAM-related package is not installed. The pam_unix.so module is a core PAM component responsible for basic user authentication and password management. In this case, you must reinstall the PAM package.

    3. Re-install the PAM package.

      • Ubuntu or Debian

        sudo apt-get update
sudo apt-get install --reinstall libpam-modules

      • CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

        sudo yum reinstall pam

    4. Run the following command again to check whether pam_unix.so exists.

      sudo find / -name "pam_unix.so"

    Step 2: Check the pam_pwquality.so module configuration

    The pam_pwquality.so module enforces password complexity rules, such as minimum length and character types. If the pam_pwquality.so module is enabled, passwords must meet the defined rules.

    1. Check the system logs for error messages related to pam_pwquality.so, such as Module is unknown or pam_chauthtok() failed.

      • Ubuntu or Debian

        sudo tail -f /var/log/auth.log

      • CentOS, RHEL, or Alibaba Cloud Linux

        sudo tail -f /var/log/secure
        Note

        The following error messages appear:

        PAM unable to dlopen(pam_puquality.so): /lib/security/pam_puquality.so: cannot open shared object file: No such file or directory
PAM adding faulty module: pam_puquality.so

        The log indicates that the system cannot load the pam_pwquality.so module. This error can occur if the pam_pwquality.so module is not installed or if the installation path is incorrect.

    2. Run the following command to check whether pam_pwquality.so is installed.

      sudo find / -name "pam_pwquality.so"

      The following command output indicates that the module is installed: 

      /usr/lib/x86_64-linux-gnu/security/pam_pwquality.so

    3. If pam_pwquality.so is installed:

      1. Check whether the PAM configuration file, such as /etc/pam.d/common-password or /etc/pam.d/system-auth, correctly references pam_pwquality.so.

        Ubuntu or Debian

        1. Run the following command to check the content of the /etc/pam.d/common-password file.

          sudo cat /etc/pam.d/common-password | grep -v "#"

        2. Make sure that the following lines exist in the file and are correct:

          password [success=1 default=ignore] pam_unix.so obscure sha512
password requisite pam_deny.so
password required pam_permit.so
password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

        3. If the configuration is incorrect, edit the /etc/pam.d/common-password file.

          sudo vi /etc/pam.d/common-password

          Add or modify the following line:

          password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

          Save and close the file.

        CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

        1. Run the following command to check the content of the /etc/pam.d/system-auth file. 

          sudo cat /etc/pam.d/system-auth | grep -v "#"

          Make sure that the following lines exist in the file and are correct:

          password   sufficient   pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password   required     pam_deny.so
password   requisite    pam_pwquality.so try_first_pass local_users_only retry=3

        2. If the configuration is incorrect, edit the /etc/pam.d/system-auth file.

          sudo vi /etc/pam.d/system-auth

          Add or modify the following line:

          password requisite pam_pwquality.so try_first_pass local_users_only retry=3

          Save and close the file.

      2. Run the following command to check the content of the /etc/security/pwquality.conf file.

        sudo cat /etc/security/pwquality.conf

        Make sure that the following lines exist in the file and are correct:

        minlen = 10
minclass = 3
retry = 3
        Note

        • minlen = 10: The minimum password length is 10 characters.

        • minclass = 3: The password must contain characters from at least three character classes (lowercase letters, uppercase letters, digits, and special characters).

        • retry = 3: Allows up to three password retries.

    4. If pam_pwquality.so is not installed:

      Note

      • If you do not need to enforce password complexity checks, such as password length and character types, you can comment out or delete the lines related to pam_pwquality.so in the /etc/pam.d/common-password file.

      • If you need password complexity checks, install the libpam-pwquality package.

      Check whether the PAM configuration file references pam_pwquality.so.

      Ubuntu or Debian

      Run the following command to check the /etc/pam.d/common-password file:

      sudo cat /etc/pam.d/common-password | grep "pam_pwquality.so"

      If output similar to the following is returned, pam_pwquality.so is referenced:

      password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

      Run the following command to check the /etc/pam.d/system-auth file:

      sudo cat /etc/pam.d/system-auth | grep "pam_pwquality.so"

      If output similar to the following is returned, pam_pwquality.so is referenced:

      password requisite pam_pwquality.so try_first_pass local_users_only retry=3

      If pam_pwquality.so is not installed but is referenced, use one of the following two methods.

      Method 1: Install pam_pwquality.so

      1. Run the following command to install the pam_pwquality.so module.

        • Ubuntu or Debian

          sudo apt-get update
sudo apt-get install libpam-pwquality

        • CentOS, Red Hat Enterprise Linux (RHEL), or Alibaba Cloud Linux

          sudo yum install pam_pwquality

      2. After installation, run the following command again to check whether pam_pwquality.so exists.

        sudo find / -name "pam_pwquality.so"

      Method 2: Comment out the pam_pwquality.so configuration (Temporary solution, not recommended)

      If you cannot resolve the issue immediately, you can temporarily comment out the pam_pwquality.so line to bypass the password complexity check.

      1. Open the PAM configuration file.

        • Ubuntu or Debian

          sudo vi /etc/pam.d/common-password

        • CentOS, RHEL, or Alibaba Cloud Linux

          sudo vi /etc/pam.d/system-auth

      2. Find the following line: 

        password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      3. Add a number sign (#) at the beginning of the line to comment it out.

        # password requisite pam_pwquality.so retry=3 minlen=10 minclass=3

      4. Save and close the file.

      Important

      • After you comment out the pam_pwquality.so line, the system no longer enforces password complexity, which can reduce security. You should disable password complexity checking only in test environments or specific scenarios.

      • To re-enable password complexity checking, uncomment the pam_pwquality.so line and ensure the rules in the /etc/security/pwquality.conf file are correct.

    Step 3: Verify that the configuration is effective

    Change the password and verify that the change is in effect.

    passwd