What tokens are used to store passwords in CA Access Control.

Document ID : KB000051292
Last Modified Date : 14/02/2018
Show Technical Document Details

Description:

This knowledge article details the passwd_distribution_encryption_mode and passwd_local_encryption_method tokens.

Solution:

The following conditions must be met for the endpoint to choose how the password is stored.

  1. The subscriber passwd_distribution_encryption_mode must match the same mode on the PMDB.
  2. If they match, then the subscriber chosen passwd_local_encryption_method is employed, and reflected in /etc/shadow.
  3. If passwd_distribution_encryption_mode does not match, then the subscriber local storage defaults to the method chosen on the PMDB. The local method value is ignored.

Note: *- If passwd_distribution_encryption_mode = 2 (md5) is chosen on the PMDB, the subscriber cannot choose between crypt or md5 as a local method. It will always be an md5 hash in /etc/shadow.

Token Details as found in our seos.ini file and listed below.

passwd_distribution_encryption_mode

; This token indicates which password encryption method the local system; uses to distribute user passwords.; Valid values are: '1' - Compatibility mode - working with older; versions of eAC, hence we use 'crypt' like we used to,; or '2' - MD5 hashing - when working in Linux only environment use; 'crypt' with MD5 salt, or '3' - bidirectional mode - where we encrypt; the passwords with our own bidirectional encryption.; Default Value: 1 

passwd_local_encryption_method

; This token indicates which password encryption method the local system; stores user passwords.; Valid values are: 'crypt' - DES crypt/bigcrypt, or 'md5' - MD5 hashing.; Default Value: crypt