AIX Password Encryption Issues

book

Article ID: 225969

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

The use of sha512 encrypted passwords from the central change server are unusable on AIX endpoints. Also, after properly configuring the use of sha512 password encryption on one endpoint a locally changed password works. However, any change by the user fails with "Syntax error: Illegal user name or password."

Environment

Release : 12.8

Component : CA ControlMinder - Unix

Resolution

The issue is occurring because the password is being hashed with a Linux version of sha512, which is not compatible on AIX by default. IBM has the following link which explains the difference and how to configure AIX to be compatible with those passwords.

https://www.ibm.com/support/pages/aix-making-sha-256-and-sha-512-passwords-compatible-other-oss

On the master server, please stop PIM, open seos.ini, and modify it so passwd_format is set to NT. With this token set, it means that the endpoint will use the OS to encrypt the password rather than encrypt it on its own. You will also need to set passwd_distribution_encryption_mode to 3 on the master endpoint and every subscriber in the environment for it to work. Below are the results of my internal testing. Please note that I used sha256 on the master endpoint and sha512 on the subscriber to illustrate the difference in behavior.

With passwd_format not set on the master endpoint:
Brian:
        password = $5$qEnp4Bb
  
With passwd_format set to NT on the master endpoint and passwd_distribution_encryption_mode set to 1 on both the master endpoint and subscriber:
Brian:
        password = $5$Eolu5rly
  
With passwd_format set to NT on the master endpoint and passwd_distribution_encryption_mode set to 3 on both the master endpoint and subscriber:
Brian:
        password = {ssha512}06$qPM7PpqR