search cancel

sesu Requests Password Twice


Article ID: 76593


Updated On:


CA Virtual Privilege Manager CA Privileged Identity Management Endpoint (PIM) CA Privileged Access Manager (PAM)


After enabling and configuring sesu, users are prompted for a password multiple times.

# sesu nonrootuser
Please enter your password:


In seos.ini there are 2 options related to how sesu requests passwords. When both of these flags are enabled they will both be requested when sesuing to a non-root user.

request_target_password: This token determines whether when the old_sesu token is set to no and the user is executing sesu to a non-root user, the password of the target user will be requested.

UseInvokerPassword: A Boolean value that determines whether sesu requests the invokers to specify their own passwords.


CA PIM Linux/UNIX endpoint with sesu feature enabled


The final resolution here would depend on the requirements for accessing the effected system. The UseInvokerPassword and request_target_password functionalities should be evaluated to determine which (if any) should be enabled. Once proper settings are determined, both values should be explicitly enabled or disabled in seos.ini. 

NOTE: Commenting out the token is not the same as explicitly disabling it because these tokens have default values. request_target_password specifically defaults to yes.

seos.ini editing instructions: 
  1. Stop PIM daemons: # secons -s
  2. Either manually edit the seos.ini file or use commands like the examples below to edit:
    # seini -s sesu.UseInvokerPassword yes
    # seini -s sesu.
    request_target_password no
  3. Reload PIM daemons: # seload

Additional Information

SESU Configuration Documentation:

SESU Token Documentation: