Configuring f5 to enable PAM to rotate passwords

1. Enable Advanced Shell console access in the f5 device (if not already configured)
2. Enable Advanced Shell console access for either a specific user or multiple users in f5.

Note: Please see f5 documentation concerning your release of f5 for further documentation on these steps.

If you want to use one account to update the password of other accounts (use case 2 below), make sure that this user can login to f5 and change its own passwd as well as another user's password using ssh.

The following interview shows how user "admin" changes the password of user "rotate".

[admin@f5:Active:Standalone] ~ # passwd rotate
Changing password for user rotate.
New BIG-IP password:
Retype new BIG-IP password:
[admin@f5:Active:Standalone] ~ #

Note that the password command does NOT ask the admin user for its own password. This is standard behavior for a UNIX or Linux root account. Accordingly below you will see that the admin account is configured with option "This account is a root account". See KB 123217 for details on how to set the correct privilege elevation option for UNIX target accounts.

Use case 1: Configure a PAM target account that can change its own password

1. Create or update a unix target application assigning it to your f5 device

2. Create or update a unix target account with ability to change its own password.

Use case 2: Configure a PAM target account that has its password changed by another account 

This use case requires that you have at least one account configured already following instructions in use case 1 above, and that this account has permissions to change the password of other user accounts on the F5 device.

1. Use the unix target application created in use case 1 (see above).
2. Create a unix target account that uses another account for the change process.

By utilizing a single administrator with Advanced Shell (bash) enabled and authorizing tmsh shell for other privileged accounts PAM can manage these account passwords.