After enabling and configuring sesu, users are prompted for a password multiple times.
Example: # sesu nonrootuser Please enter your password: Password:
Cause
In seos.ini there are 2 options related to how sesu requests passwords. When both of these flags are enabled they will both be requested when sesuing to a non-root user.
request_target_password: This token determines whether when the old_sesu token is set to no and the user is executing sesu to a non-root user, the password of the target user will be requested.
UseInvokerPassword: A Boolean value that determines whether sesu requests the invokers to specify their own passwords.
Environment
CA PIM Linux/UNIX endpoint with sesu feature enabled
Resolution
The final resolution here would depend on the requirements for accessing the effected system. The UseInvokerPassword and request_target_password functionalities should be evaluated to determine which (if any) should be enabled. Once proper settings are determined, both values should be explicitly enabled or disabled in seos.ini.
NOTE: Commenting out the token is not the same as explicitly disabling it because these tokens have default values. request_target_password specifically defaults to yes.
seos.ini editing instructions:
Stop PIM daemons: # secons -s
Either manually edit the seos.ini file or use commands like the examples below to edit: # seini -s sesu.UseInvokerPassword yes # seini -s sesu.request_target_password no