Unable to update target account password
search cancel

Unable to update target account password

book

Article ID: 282072

calendar_today

Updated On: 04-15-2024

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Trying to to rotate a target account password for an account which is not root but which has the ability to change its own password, the following error is obtained

In the Tomcat log one can see the following

2024-04-05T07:47:23.239+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T118016 - received data 'Last unsuccessful login: Wed Apr  1 11:31:27 EEST 2020 on ssh from <PAM IP>
Last login: Fri Apr  5 10:47:21 EEST 2024 on ssh from 10.47.38.51
$ ' MATCHES the pattern '[#|\$|>]
2024-04-05T07:47:23.240+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T118016 - sent data 'passwd
'
2024-04-05T07:47:23.742+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T118016 - received data 'passwd
Changing password for "<account>"
<Account>'s New password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|)(\s\S*|):.*?)
2024-04-05T07:47:23.743+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T118016 - sent data '<not logged>'
2024-04-05T07:47:24.243+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T118016 - received data '
Enter the new password again:' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|)(\s\S*|):.*?)
2024-04-05T07:47:24.243+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T118016 - sent data '<not logged>'
2024-04-05T07:47:24.744+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T118016 - received data '
3004-600 The password entry does not match, please try again.
<account>'s New password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|)(\s\S*|):.*?)
2024-04-05T07:47:24.744+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T118016 - sent data '<not logged>'

Environment

CA PAM all versions up to the last one at the time of the writing of this article- 4.1.7

Cause

This is caused by a mismatch between what PAM expects to receive from the remote machine and what it is effectively getting.

Generally when an account changes its password in UNIX, the machine requests first of all to ender the old password, and subsequently to enter the new password twice.

When the user is root, it asks straight away to enter the new password, and then to do the same once again and the password is changed

For some systems, though, even if the account is not root, if it has the ability to change its own password, the first prompt to enter the old password is not issued

This is what is happening in this case: on password change, the system asks straight away to send the new password, but PAM believes it needs to send the old password and it does so. It gets confused because the pattern to recognize if it is asking for the old or new password (like having : or $ at the end of the prompt) is the same and because the default unix script is configured to behave like this.

After the system has received what it thinks is the new password (but is in fact the old password mistakenly sent by PAM) it asks for the password to be sent again. At that point, PAM thinks it needs to send the new password and it does so.

On receiving the new password the system compares it with the previous password received and obviously there is a mismatch, hereby resulting in this error.

Resolution

Modify the target account properties flagging it as being a root account. When doing so PAM will expect the new password to be requested straight away, which is the use case faced here, and this will correct the problem

Powered by Wolken Software