Password change in PAM SC for an AIX user done from Linux results in password error
search cancel

Password change in PAM SC for an AIX user done from Linux results in password error

book

Article ID: 399379

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

Sometimes it may be necessary to connect from a Linux to an AIX machine in PAM SC via selang and carry out a password change for a user in that machine

In Access Control version 12.81 this worked seamlessly, but this is no longer the case

PAMSC>
PAMSC> host example
(example)
Successfully connected
INFO: Target host's version is 14.10-40 (17)
UNIX OS info: example AIX 2 28 May 2025 16:41:16 CEST
PAMSC>
PAMSC> cu <user> password(<password>)
(example)
Successfully updated USER <user>
(example)
Native:
===
Successfully updated USER  <user>
PAMSC> Connection to example closed by remote host.
Connection to example closed.
 
 
At the target machine
 
bash-5.2# uname -a
AIX example 2 7 00CDA8A74C00
bash-5.2# exit
exit
# uname -a
AIX example 2 7 00CDA8A74C00
#
#
 
# view /etc/security/passwd
 
user1:
        password = $5$Ar2xxxxxxxx
 
This is not the format that AIX is expecting 

Environment

CA PAM SC 14.1.X

on Linux and AIX

Cause

This is working as designed AC 12.81 supported only SHA hashing that's why it worked

Unfortunately SHA has been considered flagrantly insecure for quite a while and so support for new hashing methods (e.g. Linux uses 256 or 512 keysize), in particular SHA-2 with its choice of 128, 256, 512 key sizes was introduced in new versions of the product. This created a couple of entries to consider in seos.ini

; This token indicates which method is used for hashing user passwords when they are
; distributed to other endpoints (i.e., in remote operation mode).  Its setting must be
; in agreement with the setting on the remote endpoint.
; Valid values are:
;     1 - Compatibility mode (password is hashed locally as per the local
;         passwd_local_encryption_method setting and then sent over to the remote endpoint
;         to be stored there).  Note: This method cannot be used when local and remote
;         endpoints have differing coding conventions, e.g., Linux and AIX.
;     3 - Bidirectional mode (password is encrypted with our bidirectional encryption
;         method and then securely sent over to the target endpoint to be decrypted and
;         hashed there as per its own settings).
;
; Default Value: 1
passwd_distribution_encryption_mode = 1

 

; This token indicates which password hashing method should be used by the local system
; Valid values are: crypt  md5  sha256  sha512
; Default Value: sha256
passwd_local_encryption_method = sha256

As seen here if passwd_distribution_encryption_mode is set to 1, Linux will encrypt and send it in its own format to AIX, which will not understand it

Resolution

Please set passwd_distribution_encryption_mode = 3 in the Linux endpoint where password is being changed or set as well as the AIX PAM SC endpoint where the user will be logging in

Powered by Wolken Software