The sepass utility was used to change a password on an AIX server, but the user cannot log in with the new password. Checking the passwd file before and after running sepass confirmed that the password was changed.
# awk '/pamscuser/{x=NR+2}(NR<=x){print}' /etc/security/passwd
pamscuser:
password = {ssha512}06$ZfHP1.....
lastupdate = 1711620180
# sepass
Enter pamscuser's old password:
Enter new password:
Verify new password:
Local password updated successfully.
# awk '/pamscuser/{x=NR+2}(NR<=x){print}' /etc/security/passwd
pamscuser:
password = {ssha512}06$AdJB9.....
lastupdate = 1712073414
Privileged Identity Manager, 12.8
PAM Server Control, 14.x
The password was changed, but it was not properly being encrypted due to the passwd_format token being set to NT in the seos.ini configuration file.
The passwd_format token should not be set since it was an AIX endpoint, commenting it out of seos.ini allowed sepass to encrypt the passwords properly.
For more information about the passwd_format and other password related seos.ini tokens, refer to the documentation link below.