Password will not change after view

Document ID : KB000100903
Last Modified Date : 21/06/2018
Show Technical Document Details
Question:
I have defined a password view policy to change the password on view. However this is not working. The password ends up always as not verified and it never gets changed. How can this be ?
Environment:
PAM 2.8.X, 3.X
Answer:
The password change in credential management relies heavily on the entries received from the target machine. These are processed by Tomcat when received in the application (script processor) and the answer to each command is determined accordingly. Finally Tomcat is sending a numerical hash with an indication to return the return code for last executed operation (for instance echo 1961448532016543442-$?-7408336562507298549).

If the user has been able to change the password, the last return code is going ot be 0, so that the server will send back to tomcat, in this example 1961448532016543442-0-7408336562507298549. With this the password change process will be considered as complete and the password is verified.

Many things may interfere in this schema. One of the possibilities is that the entries that Tomcat is expecting from the server do not match was is actually received. This can all be seen by setting Tomcat in Info mode and looking at the messages. For instance:

INFO: received data 'sudo passwd my_user 
Changing password for user pam_LPloc_syadm.
New password: ' MATCHES the pattern '(?si)(.*?password(\sfor|:).*?)

Note that here Tomcat expects to receive pattern (?si)(.*?password(\sfor|:).*?). If, instead, the machine had sent "Modifying password", Tomcat would not have understood this. 

To take into account the fact that unix/linux systems may not respond to the predefined password, the Script Processor section of a UNIX application will allow you to choose different options for the predefined commands (e.g. for the password change prompt).

Another possibility is that there is an actual entry mismatch between what PAM is expecting and what the remote machine ir coming back with. 

The password change is not just controlled by PAM, but also by the pluggable authentication module in the target machine. Let's imagine we have configured the machine to request 3 times the password for changing it. In this case, the default credentials script that PAM is shipped with will not work, as it will expect to receive just two times the prompt for a password.

In these cases PAM offers the possibility of creating a custom credentials script which would take into account any particularity.

If in need of such a script, this is a task to be carried out by CA services, as it implies customization of the product