[suse-security] /etc/shadow unchanged but password not valid anymore

[David Huecking <d.huecking@xxxxxxx>]

Hi!

I'm facing something like a miracle:
On a SuSE 9.3 PC from time to time for some users the login is denied but the 
accounts are not set up with expiration nor are they disabled and 
the /etc/shadow is unchanged (compared with diff and md5sum with a copy of 
the file).
In the log you get:
Nov 12 22:12:34 tombombadil sshd[8677]: error: PAM: Authentication failure for 
bla from dslb-...

Two other accounts still work every time.
Hashing-algorithm for files in /etc/default/passwd is blowfish (CRYPT=des but 
CRYPT_FILES=blowfish).
When running a passwd bla as root and defining the same password as before 
everything ist fine again.
I ran chkrootkit (from a clean enviroment) on the machine without finding 
anything suspicious.

Can anyone give me a hint?


-- 
Eat, sleep and go running,
David Hücking.

Encrypted eMail welcome! 
GnuPG/ PGP-Key: 0x57809216. Fingerprint: 
3DF2 CBE0 DFAA 4164 02C2  4E2A E005 8DF7 5780 9216

-- 
Check the headers for your unsubscription address
For additional commands, e-mail: suse-security-help@xxxxxxxx
Security-related bug reports go to security@xxxxxxx, not here