Expired "authentication token" for user with deleted password
Solution 1:
I had this issue on a Debian 8 DigitalOcean droplet created using the 'user data' (web-form-posted setup script (bash or cloud-init)) option.
check systemd journal for relevant error messages:
journalctl | grep -B 1 -i "cron.*authentication token" | tail -n 3
May 19 13:17:01 debian-512mb-fra1-01 CRON[16714]: pam_unix(cron:account): expired password for user root (root enforced)
May 19 13:17:01 debian-512mb-fra1-01 CRON[16714]: Authentication token is no longer valid; new one required
May 19 13:17:01 debian-512mb-fra1-01 cron[470]: Authentication token is no longer valid; new one required
see which account(s) have expired status
cut -d: -f 1 /etc/passwd | while read U ; do chage -l $U | sed "s|^|$U:|"; done | grep "must be"
root:Last password change : password must be changed
root:Password expires : password must be changed
root:Password inactive : password must be changed
use 'chage' tool to update expiry fields, first attempt
chage -I -1 -m 0 -M 999999 -W 31 root
Note: didn't have the desired effect until I also added the 'last-changed' option (-d)
use 'chage' tool to update expiry fields, second attempt
chage -d `date "+%F"` -E 2999-01-01 -I -1 -m 0 -M 999999 -W 31 root
check the field expiry
chage -l root
Last password change : May 19, 2017
Password expires : never
Password inactive : never
Account expires : Jan 01, 2999
Minimum number of days between password change : 0
Maximum number of days between password change : 999999
Number of days of warning before password expires : 31
Solution 2:
It sounds like your system removed the password but did not clear the password expiration requirements.
If this is the case you can clear these manually using vipw -- The affected field will either be in the passwd file or the shadow file depending on your OS (See man 5 passwd and man 5 shadow for details on the file formats so you know which field(s) you need to clear)