Password Change fails for Linux Servers
search cancel

Password Change fails for Linux Servers


Article ID: 8390


Updated On:


CA Privileged Access Manager (PAM)


Password management may fail on some Linux servers with default Script processor settings for a UNIX target application.


Release: PAMDKT99500-2.7-Privileged Access Manager-NSX API PROXY


A UNIX target application changes passwords by issuing the "passwd" command, or whatever command is configured as the "Change Password Command" in the Script Processor section of the target application. This command typically issues a line or two of text before prompting for the current or new password, depending on whether it's a root account or not, and on whether the account changes its own password, or a master account is used to change the password of another account.

E.g. when a master account changes the password of another account, the response by the passwd command may look like this:


# passwd standarduser

Changing password for user standarduser.

New password:


The UNIX target application will issue the passwd command and then wait for a response matching the "Password Entry Prompt" regular expression defined in the Script Processor section of the target application. The problem is that the default expression, (?si)(.*?password(\sfor|:).*?) or (?si)(.*?password(\sfor|\sagain|:).*?) depending on the release, matches both the first and the second line of the response. If the response is not returned in a single string but line by line, the target application may send the password prematurely after receiving the first line, and then send it a second time in response to the first prompt for the new password. In that case it will fail to resend the new password when the passwd command asks for confirmation of the new password, and the update will fail.


Edit the UNIX target application, go to the Script Processor page and replace the default Password Entry Prompt regular expression with one that requires the presence of the colon character. Assuming the password prompt always end in "password: ", with or without a space character after the colon, the following regular expression will work:


In rare cases there might be additional text between the word "password" and the colon, e.g. a prompt like "New password for standarduser: ". The following regular expression would accommodate additional text starting with the word "for", but still work if there is no additional text: