How to configure PIM to utilise more than only the first eight characters of a user password?

Document ID : KB000030782
Last Modified Date : 14/02/2018
Show Technical Document Details

After installing PIM on any Linux box using default options only the first eight characters of an OS user password are utilised when set with selang or sepass; even PIM password quality checking is enabled and configured to require longer passwords.

This document is describing how to change this behaviour to allow PIM to set long passwords.

The examples demonstrating the behaviour are taken from Linux but in principle they apply to any other Unix flavour PIM is supports.

 

Older versions of Linux and UNIX initially provided DES encryption method of users passwords using the CRYPT standard only.
Passwords generated this way are limited to 8 characters in length. One can actually put any size password but only the first 8 characters are actually utilised.

Newer versions of Linux and Unix by default have enabled stronger password encryption methods like MD5, SHA256 or even SHA512 which also allow utilisation of long passwords.

Note that PIM 12.8 SP1 and older by default use the CRYPT / DES standard to set Enterprise Users password.

To allow PIM to store long passwords do the following:

- stop PIM by submitting in a root shell
  # secons -s

- edit the file <PIM_install_dir>/seos.ini

- change the token
  passwd_local_encryption_method = md5

- start PIM again by submitting in a root shell
  # seload

 

To verify if indeed PIM is now setting Enterprise User passwords with MD5 encryption method do the following:

- change a user's password using sepass
  # sepass myLocalUser

- see the hashed password is stored with MD5 indicator
  # fgrep myLocalUser /etc/shadow
  myLocalUser:$1$2pLOrL0Y$cNzs9cWW974apNvKFOuQZ0:16588:0:99999:7:::

You should not find any problems setting user passwords with MD5 whatsoever even your OS is configured to e.g. SHA512

To verify what default password encryption method the OS is set to e.g. on Linux submit in a root shell
  # fgrep ENCRYPT_METHOD /etc/login.defs
  ENCRYPT_METHOD SHA512

Alternatively simply change a user's password using the native passwd binary and verify the results in the password file
  # passwd myLocalUser
  ...
  # fgrep myLocalUser /etc/shadow
  myLocalUser:$6$49EBsnXM$VMZgXZ1PDv7LO5y31HOofkF5BPJqlP6BgTX/7/lOYpkniQFbaZ8TatGZad2uyoQ7wYahiT6fImio3zSR8681l1:16588:0:99999:7:::

These prefix indicate
$1$ means you are using MD5
$2$ or $2a$ means you are using blowfish
$5$ means you are using SHA-256
$6$ means you are using SHA-512

Note to only set PIM passwd_local_encryption_method = md5 if the host OS is configured to use MD5 or higher.

Also note that PIM 12.8 SP1 and older do not provide any higher password encryption method than MD5. This is subject of change in newer versions.

Amendment:

In latest version of PIM 12.8 SP1 a utility was introduced to find out what encryption methods are supported by the OS and PIM.

In a root shell execute:

# /opt/CA/AccessControl/lbin/CryptLister
crypt  md5  sha256  sha512

Then you can assign any of the listed values in seos.ini token passwd_local_encryption_method