sesu Requests Password Twice

Document ID : KB000076593
Last Modified Date : 06/04/2018
Show Technical Document Details
Issue:
After enabling and configuring sesu, users are prompted for a password multiple times.

Example:
# sesu nonrootuser
Please enter your password:
Password:
Environment:
CA PIM Linux/UNIX endpoint with sesu feature enabled
Cause:
In seos.ini there are 2 options related to how sesu requests passwords. When both of these flags are enabled they will both be requested when sesuing to a non-root user.

request_target_password: This token determines whether when the old_sesu token is set to no and the user is executing sesu to a non-root user, the password of the target user will be requested.

UseInvokerPassword: A Boolean value that determines whether sesu requests the invokers to specify their own passwords.
Resolution:
The final resolution here would depend on the requirements for accessing the effected system. The UseInvokerPassword and request_target_password functionalities should be evaluated to determine which (if any) should be enabled. Once proper settings are determined, both values should be explicitly enabled or disabled in seos.ini. 

NOTE: Commenting out the token is not the same as explicitly disabling it because these tokens have default values. request_target_password specifically defaults to yes.

seos.ini editing instructions: 
  1. Stop PIM daemons: # secons -s
  2. Either manually edit the seos.ini file or use commands like the examples below to edit:
    # seini -s sesu.UseInvokerPassword yes
    # seini -s sesu.
    request_target_password no
  3. Reload PIM daemons: # seload
Additional Information:
SESU Configuration Documentation:
 https://docops.ca.com/ca-privileged-identity-manager/14-0/en/administrating/endpoint-administration-for-unix/safe-user-substitution/how-to-set-up-sesu-for-user-substitution/replace-the-system-s-su-utility-with-the-ca-controlminder-sesu-utility

SESU Token Documentation: 
https://docops.ca.com/ca-privileged-identity-manager/14-0/en/reference/configuration-files/the-seos-ini-initialization-file/sesu