Layer7 Privileged Access Management

Expand all | Collapse all

Does the password checkout disables the password update manually for the servers integrated with PAM

Jump to Best Answer
  • 1.  Does the password checkout disables the password update manually for the servers integrated with PAM

    Posted 05-15-2018 09:04 AM

    Hi,

     

    We have CA PAM in our environment where we have the linux servers integrated with PAM for password management. we want to check how to restrict the user from changing the password manually in the linux servers once he extracted the password from PAM.

     

    Regards,

    Rajesh



  • 2.  Re: Does the password checkout disables the password update manually for the servers integrated with PAM
    Best Answer

    Posted 05-15-2018 09:11 AM

    Hello Rajesh,

     

    If the users in your environment only use PAM sessions to connect to the Unix endpoints, then you could use the command filtering feature in PAM to prevent them from using the passwd command while connected via PAM. You can find more information about command filtering here.

     

    If users can access the Unix endpoints outside of PAM, then I would suggest using SELinux or CA PAM Server Control policies to restrict access to the passwd command.

     

    Thanks,

    Brian Rehder

    CA Support Engineer



  • 3.  Re: Does the password checkout disables the password update manually for the servers integrated with PAM

    Posted 05-15-2018 09:54 AM

    Thanks Brian for the prompt response.

     

    Can you also help me with steps of how to restrict user to only use PAM sessions to connect to the Unix endpoints.

     

    Regards,

    Rajesh



  • 4.  Re: Does the password checkout disables the password update manually for the servers integrated with PAM

     
    Posted 05-15-2018 02:02 PM

    I believe you must restrict user access to a server at the server level... It would be a Unix configuration (possibly SSH config) to only accept connections from the PAM appliances.

     

    Regards,

     

    Michael Pass



  • 5.  Re: Does the password checkout disables the password update manually for the servers integrated with PAM

    Posted 05-16-2018 10:20 AM

    Hello Rajesh,

     

    CA PAM does not have the capability to restrict access to a target endpoint from another server, you would need to use either local server configuration or a network firewall rule to accomplish this.

     

    Thanks,

    Brian Rehder

    CA Support Engineer



  • 6.  Re: Does the password checkout disables the password update manually for the servers integrated with PAM

    Posted 05-16-2018 10:56 AM

    The PAM socket filter agent (SFA) can prevent leapfrogging, i.e. block users from using a PAM access session to one device to connect to another device.