How to enforce password policies for UNIX users with CA Privileged Identity Manager
search cancel

How to enforce password policies for UNIX users with CA Privileged Identity Manager

book

Article ID: 11510

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

With PIM/PAMSC it is possible to enable and enforce password policies for UNIX user.

How do you enforce password policies for UNIX users with CA Privileged Identity Manager / CA Privileged Access Manager Server Control endpoint (PAMSC Endpoint)

Environment

All Unix

Resolution

With PIM/PAMSC it is possible to enable and enforce password policies for UNIX users the following way:

1. Activate password quality checking and define password rules 

The following selang commands activate password quality checking and define password rules that enforce a minimum of

- Six alphanumeric characters

- Three lowercase characters

- Two numeric characters

> setoptions class+ (PASSWORD)

> setoptions password(rules(alpha("6") lowercase("3") numeric("2"))) [Note: This is just an example]

See all the other defined password rules with this command

> so list

 

2. Replace the native passwd utility with sepass

In a root shell enter these commands

# which passwd

# mv /usr/bin/passwd /usr/bin/passwd.original

# ln -s /opt/CA/AccessControl/bin/sepass /usr/bin/passwd [Note: The location of sepass changes based on your installation location]
(adjust the specific locations accordingly)

Note, only sepass ensures that the new password matches CA PIM password policies. And only sepass updates the database with the new password and the date on which the password was changed. In addition, sepass performs the same functions as /bin/passwd.


3. Shutdown PIM and enable automatic calling of segrace in seos.ini

# secons -s

# seini -s pam_seos.call_segrace yes /opt/CA/AccessControl/seos.ini

# seload

(alternatively you can also set the relevant token in the seos.ini accordingly)

 

4. Enable automatic calling of segrace by putting this command in /etc/profile or /etc/profile.CA

/opt/CA/AccessControl/bin/segrace -d

(this step is necessary for e.g. ssh logins)

 

5. Test that all is working as expected by creating a testuser and forcing password change upon first login

Create the user in selang

> nu testuser grace(1) password(password)

Logon to the local host as testuser and confirm the password policy is enforced accordingly.

Powered by Wolken Software