Automatic Password Rotation fail

Document ID : KB000006404
Last Modified Date : 14/02/2018
Show Technical Document Details
Issue:

The area of interest are Unix servers where the root password is managed.

From the 20 servers now being managed by pam - 2 fail verification. The failure is random.

Although the password rotation failed the access to these two machines is still possible. 

Environment:
Any
Cause:

When PAM sends the command passwd, the server responds with 2 lines: 

passwd: Changing password for root
New Password: 

The first line matchs with the Password Entry Prompt instead of the Password Change Prompt.
So, the target server sends the first line which PAM interprets that the server is asking for the current password.
Then the New Password match with the Password Confirmation Prompt prefex. 

Resolution:

Go to the target application/Script Processor:

1) Modify the Target Application Script processor:

Modify the Password Change Prompt to: "(?si).*? new password:*?" or 

Modify the Password Confirmation Prompt to: “(?si)(.*?re.*password.*:.*)” 

Confirm by login externally to the device what is the Password Entry Prompt prefex and modify it to: 

“(?si)(.*?password.*:.*?)”. 

If you don't modify the Password Entry Promt, you will may still have issues. 

AND/OR

2) Update the script processor timeout from the default value (5 seconds) to a higher value (actual value to be determined)

Additional Information:

Analyze the information with the Catalina log.

Go to Config:Diagnostic:

Set Tomcat log level to INFO or FINEST , reproduce the issue and download the Tomcat logs.

Set back the log level to previous configuration or warning.