Using another account to change a UNIX target account's password

book

Article ID: 132195

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

There are some use cases where utilizing another account to modify privileged user passwords would be beneficial.
1. In order to avoid both accidental and intentional password changes that may block other users from sharing a privileged account a company may institute security policies which disable these accounts from being able to simply change their own passwords.
2. In cases of some form of unforeseen events or disaster a server containing the userstore or Active Directory may need to be restored from an earlier backup which effectively rolls back the passwords of many accounts. In this case only having to manually synchronize a single or a few accounts to allow PAM to automatically synchronize
 

Each Unix and Linux version can employ different methods of security including RBAC rules to control or limit which users can change another user's password using the passwd command. As of the time of writing this article all the major versions of unix require using the root account or the root role account to utilize the passwd command from a command prompt without utilizing elevated permissions through a command like sudo .

PAM's default implementation of managing Privileged Accounts on Unix is based on the passwd command using ssh access to the device. The use of other tools provided by the operating system or other third party applications to assist in changing another users password, like chpasswd and smit, or the use of non-local, like NIS or AD, integrated user databases is not discussed in this document.

The most common method of privileged elevation is through use of the sudo command to pass root rights to a non-root user if properly configured in the sudoers file but this can be customized  in the Target Application by modifying the Privileged Elevation Command under the Script Processor tab.The command pbrun can replace the sudo command.


 

Environment

Release:
Component: CAPAMX

Resolution

In order to configure a Unix account which will be used to change another Unix local account you will need to:
   1. create a local unix account on the unix machine
   2. add a line in the sudoers file to provide the rights for this user to use sudo (see samples below)

# User privilege specification
pamrotate        ALL=(ALL:ALL) ALL # give this user all root rights including passwd

or


pamrotate      ALL=(ALL) PASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and require a password

or


pamrotate       ALL=(ALL) NOPASSWD:/usr/bin/passwd # give only the passwd command rights to this user through sudo and do not require a password

Note: There are several other possible syntax's to configure sudo, the PAM product does not have a preference on any values you set. For more info on configuring sudo please see your specific operating systems guidelines.

Before proceeding you should validate the behavior on the unix console to ensure sudo is working prior to configuring in the PAM product.

[[email protected] ~]$ sudo passwd root
[sudo] password for pamrotate:
Changing password for user root.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[[email protected] ~]$



3. Add or modify the Target Account that will be used in PAM to change other Target Account's passwords by selecting the UNIX tab and select the appropriate option for your specific sudo config from the Privilege Elevation option.


o Do not use elevated privileges will not utilize the sudo command / will pass the current (old) password of this user
o Use elevated privileges will utilize the sudo command / will not pass the current (old) password of this user
o Use elevated privileges with authentication will utilize the sudo command / will pass the current (old) password of this user
o This account is a root account will not utilize the sudo command / will not pass the current (old) password of this user

4. Add or Modify the Target Account where previous Target Account will be used as a rotation account and select the UNIX tab. For this user set the "Use the following account to change password" and use the magnifying glass to select the user.

 


5 . Verify or rotate the password on the Target Account to ensure all configurations were successful. If not successful, check the Tomcat logs first for additional info.
 

Attachments