We have a policy that enables users to see account password for some linux servers.
But, if the server have some kind of problem that makes it unreachable from PAM (for example, network connectivity) , password account becomes unverified and the user can't see it.
This is unpractical if he needs to login on the console to do some king of troubleshoot.
Is there a way for a user to view a password of unverified accounts ?Probably some of you have this same problem...
CAPAM is working as designed. If the account is not verified, then there is no way to guarantee that the password being used is the password for that server. The user would login anyway and get a bad password error without knowing what was the true problem.
I hope this helps.
Ok, I understand.
But , in some situations , I know that the unverified password is correct.
Suppose one of your server have a panic error and is asking for root account to boot in single-user. In that situation (change on view password, check-in/check-out), the password may became unverified and the last password is the correct one because PAM wasn't able to change it. Is this right ?
In this use case, it makes sense to our team on the field have access to that password.
Hi Contratos, How would PAM know that this is a situation where the password in fact is still correct? The PAM user can contact a PAM admin who can check on the password. If the device is back online and the password verifies ok, the account will go back into verify and can be used again. Also, you can run regular verify jobs against target accounts. This way the account may go back to verified before someone needs to use it. You can do this selectively for accounts that are in an unverified state.
I agree that, in this situation, PAM can't know that password is still correct.
But it can give that feedback to the user by alerting to the fact that it's unverified. At the same time, allowing the user to view the password if he wants (with the necessary audit/accountability). Just like PAM admin would do.