In order to configure a Unix account which will be used to change another Unix local account you will need to:
1. create a local unix account on the unix machine
2. add a line in the sudoers file to provide the rights for this user to use sudo (see samples below)
# User privilege specification
pamrotate ALL=(ALL:ALL) ALL # give this user all root rights including passwd
pamrotate ALL=(ALL) PASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and require a password
pamrotate ALL=(ALL) NOPASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and do not require a password
: There are several other possible syntax's to configure sudo, the PAM product does not have a preference on any values you set. For more info on configuring sudo please see your specific operating systems guidelines.
Before proceeding you should validate the behavior on the unix console to ensure sudo is working prior to configuring in the PAM product.
[[email protected] ~]$ sudo passwd root
[sudo] password for pamrotate:
Changing password for user root.
Retype new password:
passwd: all authentication tokens updated successfully.
[[email protected] ~]$
3. Add or modify the Target Account that will be used in PAM to change other Target Account's passwords by selecting the UNIX tab and select the appropriate option for your specific sudo config from the Privilege Elevation option.
o Do not use elevated privileges will not utilize the sudo command / will pass the current (old) password of this user
o Use elevated privileges will utilize the sudo command / will not pass the current (old) password of this user
o Use elevated privileges with authentication will utilize the sudo command / will pass the current (old) password of this user
o This account is a root account will not utilize the sudo command / will not pass the current (old) password of this user
4. Add or Modify the Target Account where previous Target Account will be used as a rotation account and select the UNIX tab. For this user set the "Use the following account to change password" and use the magnifying glass to select the user.
5 . Verify or rotate the password on the Target Account to ensure all configurations were successful. If not successful, check the Tomcat logs first for additional info.