search cancel

PIM: Change password without being prompted for current password on linux


Article ID: 106234


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


The passwd command prompts user, except root, for current password.

For example:
[[email protected] ~]$ passwd 
Changing password for user user01. 
Changing password for user01. 
(current) UNIX password:
Is it possible to use the Privileged Identity Manager (PIM) agent to change this behaviour?


Component: SEOSWG


The passwd command will prompt all users except root for their current password. This is by design and has nothing to do with PIM. 

PIM can be used to get around this. The following example is a demonstration of how to do this.

The following SUDO rule allows users authorized to do so to change their password, and only their password, without being prompted for their current password: 
editres SUDO ('changepassword') audit(FAILURE) data('/bin/passwd;$U $e;$O')

Each user you want to allow to change their password like this needs to be authorized to do so. It is probably easier to create a group, authorize the group and then join the users to the group:
ng ("changepassword") 
auth sudo ('changepassword') gid("changepassword") 
join ("testuser") group("changepassword")

We also need to authorize the changepassword group to be able to execute sesudo:
auth PROGRAM ('/opt/CA/AccessControl/bin/sesudo') gid(changepassword)

Users can now change their password using the following where <USERNAME> is their username:
sesudo changepassword <USERNAME>

This is not overly user friendly. We can make it more user friendly by creating a script /usr/local/bin/changepassword with the following contents:
sesudo changepassword $(sewhoami)

We then need to authorize only members of the changepassword group to use this script using the following rules:
nr program ("/usr/local/bin/changepassword") defacc(none) owner(nobody) 
auth program ("/usr/local/bin/changepassword") access(x) gid(changepassword)

Now, users in the group changepassword, and only users in this group, can change their password, and only their password, without being prompted for the current password by executing: