Password change failing for Linux accounts

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to change the password in some Linux systems (different flavours) manually in the Credentials Management section of PAM or through scheduled rotation jobs, there is a message in the logs about the script processor failing to complete correctly

Which is a generic error message.

Attempting to check the tomcat logs, there are messages about timeout waiting for input from server, and finally about failing to receive the <random_number>-0-<random_number> string from the server as the final outcome of the password change process.

Increasing the timeout for script processing does not work.

Environment

CA PAM several versions

Cause

There are multiple causes why a default script may fail. The best troubleshooting approach is to log in directly from PAM to the server having problems and to carry out the password change process there, so understand how the remote system is reacting to the prompts launched by PAM. It may be that it is returning unexpected strings, or that it is not expecting the strings which CA PAM is sending to it.

This article is dealing with just one possible use case which has been observed in a few systems as the originating cause for the password change error, and it concerns the configuration of the Pluggable Authentication Module (pam) in Linux/UNIX.

One of the functions of the pam component in Linux/UNIX is to provide enhanced security for system login. For an introduction to pam see for instance the following article. PAM configuration may cause changes in the way Linux processes the login requests and, in particular, to the prompts the server will display when attempting to log in or to change the password for a given user.

One of the particular use cases observed, which is covered here, is the fact that changes in pam may have caused the password change confirmation prompt to appear more than once.

That is, instead of

Type new password:

Please retype your password:

which is the usual expected dialog for most Linux/UNIX systems, the dialog presented is:

Type new password:

Please retype your password:

Such a change in the password change dialog will cause the default script to break and it will result in the issue described in the present document.

Resolution

There are several PAM module configurations that may lead to this result. There is plenty of literature about what may be causing this outcome, so you are strongly advised to check for other possible combinations of modules if the present one is not the one affecting your system. In the particular use case that this issue was observed, in /etc/pam.d/common-password the following line was specified twice

password requisite pamcracklib.so

That was causing the double prompt.

Removing one of its occurrences corrected the double prompt and the default script started working as expected.

Please note that one additional possibility is to correct the update script to take into account this specific use case. Please consult with Broadcom Support and engage Services if this is the case and you need help modifying the default script.