Article ID: 6803, created on Oct 22, 2009, last review on Aug 12, 2014

  • Applies to:
  • Virtuozzo containers Tools


After creating a Container using Ubuntu 8.10 or a later EZ OS template, it is not possible to log in to Parallels Power Panel of the Container, and the following error message is shown:

"Invalid username or password, please try again."

However, it is possible to log in to the Container via SSH.


It seems that Ubuntu 8.10 is forced to use SHA512 hashing by default. For example, in Debian 5.0 (and previous versions of Debian, Ubuntu) it was set to MD5:
# grep '^[^#]' /etc/pam.d/common-password
password required nullok obscure min=4 max=8 md5


It is sufficient to update the file /etc/pam.d/common-password and reset the "root" password inside a Container. Example for Container #101:
# vzctl enter 101
# sed '/^password.**sha512/ s~sha512~md5~' -i etc/pam.d/common-password

After that, the file /etc/pam.d/common-password will contain these lines:
# grep '^[^#]' /etc/pam.d/common-password
password [success=1 default=ignore] obscure md5
password requisite
password required

and remember to reset 'root' password:
# passwd root
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

It is necessary to perform this modification for every created Container. In order to automate this fix, update the "post-install" script of the affected OS template, e.g., add to the file "/vz/template/ubuntu/8.10/x86/config/os/default/post-install" the following line:

sed '/^password.**sha512/ s~sha512~md5~' -i etc/pam.d/common-password

Then rebuild the cache of the OS template:
# vzpkg remove cache ubuntu-8.10-x86
# vzpkg create cache ubuntu-8.10-x86

NOTE: Newer versions of Ubuntu and OpenSuse use If the above workaround does not work, make sure that pam_unix2 has the following settings:
Change CRYPT_FILES value in /etc/default/passwd to md5:
# Define default crypt hash. This hash will be
# used. If there is no hash for a special service,
# the user is stored in
# CRYPT={des,md5,blowfish,sha256,sha512}
# We can override the default for a special service
# by appending the service name (FILES, YP, NISPLUS, LDAP).
# For local files, using a more secure hash. We
# don't need to be portable in such a case:

Additional information

Also see this article:
112597: Unable to log in to container or virtual machine

dec9992cb67244932723f716e20b57d9 d02f9caf3e11b191a38179103495106f 2897d76d56d2010f4e3a28f864d69223

Email subscription for changes to this article
Save as PDF