I just found out where the logs can be monitored. It is in the /var/log/secure
This is what i'm getting when trying to check in the account back. By checking in means that it will reset/rotate the account password back. Seems like i'm getting failed as per below. Any ideas ?.
Fyi pam_unix_admin is the account that will managed the password rotation for other pam account
Jan 22 11:56:18 Winterfell sshd[22177]: Accepted password for pam_unix_admin from ******* port ssh2
Jan 22 11:56:18 Winterfell sshd[22177]: pam_unix(sshd:session): session opened for user pam_unix_admin by (uid=0)
Jan 22 11:56:18 Winterfell sudo: pam_unix_admin : TTY=pts/1 ; PWD=/home/pam_unix_admin ; USER=root ; COMMAND=/usr/bin/passwd pam_unix5
Jan 22 11:56:20 Winterfell passwd: pam_cracklib(passwd:chauthtok): pam_get_authtok_verify returned error: Failed preliminary check by password service
Jan 22 11:56:26 Winterfell passwd: pam_cracklib(passwd:chauthtok): conversation failed
Jan 22 11:56:26 Winterfell passwd: pam_cracklib(passwd:chauthtok): conversation failed
Jan 22 11:56:26 Winterfell passwd: pam_cracklib(passwd:chauthtok): pam_get_authtok_noverify returned error: Authentication token manipulation error
Jan 22 11:56:26 Winterfell passwd: pam_cracklib(passwd:chauthtok): conversation failed
Jan 22 11:56:26 Winterfell passwd: pam_cracklib(passwd:chauthtok): pam_get_authtok_noverify returned error: Authentication token manipulation error
Jan 22 11:56:26 Winterfell sshd[22177]: pam_unix(sshd:session): session closed for user pam_unix_admin
Original Message:
Sent: 01-15-2020 06:21 AM
From: Afrezal Karim
Subject: Unix Account unable to rotate password.
Hey Pedro,
Thanks for the tips. This is a new one. Have tried it but when try to checkin the account..seems like it taking forever. But this time it no longer show "does not meet the unix password requirement". But it still not reset/rotate to a new password and turn to unverified again.
Here are things that i have done.
- Checking and comparing all the password composition in the linux it self eg. /etc/security/pwquality.conf ( suggested by kevin)
/etc/pam.d/system-auth
/etc/pam.d/password-auth
/etc/login.defs
- I'm comparing with the working ones which are able to rotate. seems like all are having the same setting. which is a default one. So i dont think its the is password composition policies because the existing one is working on the other server.
- Playing with the composition policies - Tried all the solution provided again i dont think the composition policy is the issue
- Checking on the sudo permission - All are the same with the working ones and i have verified by resetting it manually (login to the server and try to reset the account password and was able to reset it.
- Tried to change the option to "Account can change own password". - It manages to change the password when check-in back but when it does, the account is no longer working meaning it either does not take the new password or not working and will throw this error below
-
My question, what is the security risk if we were to use the "Account can change own password" for Unix?.
For now i'm currently testing this option since this was the only server that are having the issue. And it was able to checkin but then the account is no longer able to use as if it cant track the newly reset password. So what i need to do, i have to manually reset the account password again in the unix server then update the password in the pam.
Thanks,
Afrezal
Original Message:
Sent: 01-14-2020 08:35 AM
From: Pedro Fernandez
Subject: Unix Account unable to rotate password.
Sometimes when I get this error it refers to delays in connections to the target device. It usually works for me extending the Script Timeout variable to 59999. Go to Credentials -> Manage Targets -> Applications. Within the Application under Script Processor try updating the Script Timeout to 59999.
Original Message:
Sent: 08-28-2019 06:48 AM
From: Afrezal Karim
Subject: Unix Account unable to rotate password.
Hi all,
I'm currently fixing issue with the accounts for a specific Unix server which are unable to rotate the password. After check-in the account. It will prompt that the password does not meet the minimum requirement for the linux system.
Does this mean its related to the password policy which was set on the Unix endpoint ?.
Any place or settings that i can check on the unix side for the password complexity setting ?.
Does anyone encounter this issue previously in your environment ?.
Thanks in advance for all the reply and responses. Appreciate it.