PAM -- Why would a verify fail but a password rotation comes back successful?
search cancel

PAM -- Why would a verify fail but a password rotation comes back successful?

book

Article ID: 261421

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Why would a verify fail but a rotation comes back successful rotation of the linux password? If you search the attached Catalina.out log lile for <username> you will see it.

 

Environment

Release : 4.1

Cause

The Linux verification script uses a different method of password verification than the password rotation script. the differences could also be related to the methos chosen.

The verification script relies on a successful login to the Linux device. If you are validating as itself then that user requires the ability to logon and get a shell to run a simple command "echo $?" . If this is not successful then (gets anything other than a 0 returned) the verification will fail. If the password is verified by another user then that user must be able to login and run a change user command (default is su) and pass the current password defined in PAM. It will then run the same command above to confirm it was successful.

The password change script will have to logon and run the passwd command to change the password . Multiple check processes are performed as this process will normally pass the updated password twice. If changing the password as another user then the privileged elevation command (default is sudo) must run. If the password is successfully updated, then no additional verification is required.

In this case we were able to verify the change user command "su" was no authorized so just the verification script was failing.

Resolution

Client had to restore the missing values in the /etc/pam.d/su file that was updated during server patching.