PIM(EP) r12.8 SP1: about passwd_local_encryption_method and passwd_distribution_encryption_mode

book

Article ID: 196118

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

The description for these token in seos.ini and manual says as following.

--- a part of seos.ini on 12.8 SP1
[passwd]
...
; This token indicates which password encryption method the local system
; uses to distribute user passwords.
; Valid values are: '1' - Compatibility mode - working with older
; versions of eAC, hence we use 'crypt' like we used to,
; or '2' - MD5 hashing - when working in Linux only environment use
; 'crypt' with MD5 salt, or '3' - bidirectional mode - where we encrypt
; the passwords with our own bidirectional encryption.
; Default Value: 1
passwd_distribution_encryption_mode = 1

; This token indicates in which password encryption method the local system
; will store user passwords.  Which hashing methods are natively supported can
; be checked with the ControlMinder CryptLister utility.
; Valid values are: crypt  md5  sha256  sha512
; Default Value: crypt
passwd_local_encryption_method = crypt
---

If user use password length longer than 8 character which is old crypt limitation, 
Can user use md5 for both token, such as following ? 
  passwd_local_encryption_method = md5
  passwd_distribution_encryption_mode = 2

 

Cause

md5 hashing is deprectaed for at least 10 years by now.After support for SHA was added and that is what one must use if he cares about  having his paswords securely hashed.

And the length of the password is irrelevant while choosing an appropriate setting for the passwd_distribution_encryption_mode token, so the old documentation is confusing and off-target.
seos.ini comments updated for 14.10 installations and below you can see  how they look now.  Both of these values (1 and 3) were verified to work as expected on all PIM-supported platforms: one only has to be aware of differences in encoding on dsome platfroms (in particular, AIX) when chosing option 1.




Environment

Release : 12.8

Component : CA ControlMinder - Unix

Resolution

Please view following description in seos.ini at PAMSC 14.1:

--- a part of seos.ini on PAMSC 14.1
[passwd]
...
; This token indicates which method is used for hashing user passwords when they are
; distributed to other endpoints (i.e., in remote operation mode).  Its setting must be
; in agreement with the setting on the remote endpoint.
; Valid values are:
;     1 - Compatibility mode (the password is hashed locally as per the local
;         passwd_local_encryption_method setting and sent over to the remote endpoint for storing
;         and use as is);
;     3 - Bidirectional mode (the password is encrypted with our own bidirectional encryption and
;         securely sent over to the target endpoint to be decrypted and hashed there as per its own
;         settings).
;
; Default Value: 1
passwd_distribution_encryption_mode = 1

; This token indicates which password hashing method should be used by the local system
; Valid values are: crypt  md5  sha256  sha512
; Default Value: sha256
passwd_local_encryption_method = sha256

 

Additional Information

if password is delivery to Windows subscriber, please set passwd_format token to NT
[passwd]
  passwd_format = NT