Automatic Password Rotation fails

book

Article ID: 6404

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

In some appliances where several unix servers have their root password managed and there is password rotation, some fail verification randomly. Nevertheless, even if password rotation fails, it is still possible to access those machines.

Cause

When PAM sends the  passwd command to the server being managed, it responds with 2 lines: 

passwd: Changing password for root
New Password: 

In most unix servers, the password change involves sending first the current password, then then new password, twice. In this case the first line received should match the Password Entry Prompt instead of the Password Change Prompt.

So, while PAM thinks the target server is asking it to send the new password, in reality the first entry received is informative and the first time the new password is sent should be next, whereas PAM thinks it is sending the confirmation password. This leaves the target server waiting for the confirmation password, which never arrives and the process fails. 

Environment

Releases: 
PAM 2.x 
PAM 3.x
 

Resolution

Go to the target application/Script Processor:

1) Modify the Target Application Script processor:

Modify the Password Change Prompt to: "(?si).*? new password:*?" or 

Modify the Password Confirmation Prompt to: “(?si)(.*?re.*password.*:.*)” 

Confirm by login externally to the device what is the Password Entry Prompt prefix and modify it to: 

“(?si)(.*?password.*:.*?)”. 

If you don't modify the Password Entry Prompt, you  may still have issues. 

AND/OR

2) Update the script processor timeout from the default value (5 seconds) to a higher value (actual value to be determined)

Additional Information

Analyze the information within the Catalina log, which will provide information on the server change password.

To obtain more information in Tomcat, go to Config > Diagnostic

Set Tomcat log level to INFO or FINEST , reproduce the issue and download the Tomcat logs.

Set back the log level to the previous level.