-1

I am getting tons of these messages in my /var/log/messages file

Apr 16 06:58:20 server pam_pwdfile[7856]: couldn't open password file /etc/techproxy.shadow
Apr 16 06:58:20 server pam_pwdfile[7863]: couldn't open password file /etc/techproxy.shadow
Apr 16 06:58:20 server pam_pwdfile[7859]: couldn't open password file /etc/techproxy.shadow

Can anyone please let me know what might be trying to access this file multiple times per second?

*** Update **

The command grep pam_pwdfile /etc/pam.d/*

Returns:

/etc/pam.d/techproxy.auth    sufficient   pam_pwdfile.so    /etc/techproxy.shadow

I do see a file called techproxy in the pam.d folder

is it safe to delete this I see can find no info on what it is for?

Paul Mall
  • 1
  • 1

1 Answers1

1

If you look at the files in directory /etc/pam.d/ you'll (almost certainly) find one or more of them that refer to pam_pwdfile. The following command will show you which ones ...

grep pam_pwdfile /etc/pam.d/*

From this you should be able to work out (from the file name) which bit of of the system is trying to use pam_pwdfile for authentication.

Paul Haldane
  • 4,517
  • 1
  • 21
  • 32
  • The grep command returns: /etc/pam.d/techproxy.auth sufficient pam_pwdfile.so /etc/techproxy.shadow there is a file called techproxy in pam.d folder is this causing the message? if so can I simply remove the file? I do not know what it is doing or what it's purpose is – Paul Mall Apr 16 '15 at 18:04
  • There must be a service running (techproxy?) using this PAM config (otherwise you wouldn't be getting the log messages. If your're lucky there might be comments in the techproxy.auth file explaining what the service is. If not, try seeing which package owns the file `rpm -q -f /etc/pam.d/techproxy.auth`. If that gives you a package name then `rpm -q -i techproxy` will give you more info (assuming package name is techproxy). – Paul Haldane Apr 17 '15 at 10:38
  • the first command returned: cpanel_bluehost_extras=1.0-18.e16.noarch seems it is a cpanel service I boiled it down to cphulk which prevents brute force logins. I had disabled this and forgot to turn it back on seems to have slowed down now that I turned it back on. Thanks for the help. I am keeping my eye on the logs now – Paul Mall Apr 17 '15 at 14:05