AIX Endpoints Cannot Use sha256/sha512 Password Encryption

book

Article ID: 224937

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

After configuring AIX for SHA256/SHA512 encryption, setting passwd_local_encryption_method to the same value in seos.ini, and changing the password on the master endpoint, users cannot log into the AIX endpoint.

When looking in /etc/security/passwd, the password is confirmed to be encrypted.

pimuser:
        password = $6$qEnp4Bb

Cause

AIX SHA256/SH512 encryption is different than other Linux operating systems. When a password is encrypted on AIX, their password will look similar to the following in /etc/security/passwd. 

pimuser:
        password = {ssha512}06$qPM7PpqR

With the default password distribution configuration, the master PIM endpoint will encrypt the password and distribute the encrypted password to the subscribers. Since the password is already encrypted, the subscribers will not encrypt them locally.

Environment

Privileged Identity Manager 12.8
PAM Server Control 14.0,14.1

Resolution

AIX can be configured to be compatible with passwords encrypted by other Linux versions. If that is not an option, follow the steps below to configure the environment so the passwords will be re-encrypted on the local endpoints.

On the master endpoint:

1- Stop all daemons.
2- Open seos.ini for editing.
3- Set passwd_distribution_encryption_mode to 3
4- Set passwd_format to NT
5- Save the file.
6- Start all daemons.

On each subscriber:

1- Stop all daemons.
2- Open seos.ini for editing.
3- Change passwd_distribution_encryption_mode to 3 and save the file.
4- Start all daemons.

Additional Information

IBM Documentation on How to Make AIX Compatible with SHA256/SHA512 Passwords Hashed on Other OS's: https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss