Layer 7 Privileged Access Management

Expand all | Collapse all

Unix Account unable to rotate password.

Jump to Best Answer
  • 1.  Unix Account unable to rotate password.

    Posted 08-28-2019 06:48 AM
    Edited by Afrezal Abdul Karim 08-28-2019 06:50 AM
    Hi all,

    I'm currently fixing issue with the accounts for a specific Unix server which are unable to rotate the password. After check-in the account. It will prompt that the password does not meet the minimum requirement for the linux system.

    Does this mean its related to the password policy which was set on the Unix endpoint ?.

    Any place or settings that i can check on the unix side for the password complexity setting ?.

    Does anyone encounter this issue previously in your environment ?.

    Thanks in advance for all the reply and responses. Appreciate it.

  • 2.  RE: Unix Account unable to rotate password.

    Posted 08-28-2019 10:08 AM

    The default location to set password complexity on Linux is in the /etc/security/pwquality.conf file.
    This policy and PAM Password Complexity Policies need to match.

    Kevin D.

  • 3.  RE: Unix Account unable to rotate password.

    Posted 08-28-2019 10:19 AM
    Hey Kevin,

    Thank you soo much for the reply. I do not see any file with the name pwquality.conf on /etc/security.

    And i've just checked on the working server which is able to rotate the password, the file does not exist either.

    So it must be some other settings. Still cracking my head troubleshooting this tho :).

  • 4.  RE: Unix Account unable to rotate password.

    Posted 08-28-2019 10:21 AM
    What flavor of Linux are you running?

  • 5.  RE: Unix Account unable to rotate password.

    Posted 08-28-2019 10:22 AM

    I have a similar problem, for an EndPoint linux it asks me that the keys have exactly 2 uppercase letters, 2 numbers and 2 special characters, since the PCP of CA PAM it is not possible to configure this type of restrictions.

    This seems to me a critical failure of CA PAM that I have not found to date how to synchronize the EndPoint.

    Any ideas about it?

  • 6.  RE: Unix Account unable to rotate password.

    Posted 08-28-2019 11:43 AM

    Unfortunately when you have two solutions trying to be the password complexity endpoint manager conflicts happen.
    Everyone offers different combinations on what can be accomplished,  Our PAM Password Composition Policy offers these options:

    If you cannot match them, than you can potentially alter/disable your current password composition polices in the various different files Linux offers:


    If this still cannot be done, please open an Idea in our communities, which other members can up-vote the idea is they run into this limitation as well.

    Kevin D.

  • 7.  RE: Unix Account unable to rotate password.

    Posted 08-29-2019 02:22 PM
    Edited by Joseph Fry 08-29-2019 02:24 PM

    In your case, you can achieve this by severely limiting the entropy of your password (make it long to compensate)
    Essentially you restrict the upper, number, and special characters to just two of each, then use one of each of them in the prefix.  Checking the box to disallow duplicates forces the generator to generate a password that uses the other character of each and a bunch of lower case characters.

    Any system that requires a password like that is reducing the entropy already... this just makes it a little worse.  If you change them often enough, and have good protection against brute force attacks, then the reduced entropy shouldn't be an issue.

    While this is not ideal, I wouldn't blame PAM... any requirements like those you describe are counter productive as they automatically reduce entropy and make your password less secure... I would change that system if you could; but the above will at least get you working if you can't​

  • 8.  RE: Unix Account unable to rotate password.
    Best Answer

    Posted 08-29-2019 02:37 PM
    Be careful with that error... it says "MAY NOT", not "DOES NOT".  There are other things than password complexity that may prevent PAM from updating the account credentials which could result in the same error message... all PAM knows is that the server rejected the password change.

    All PAM is doing is logging in via SSH and running passwd.  To troubleshoot, just replicate those steps using the same credentials that PAM is using.

    Remember, if your using a master account to change your passwords, you need to SSH with that account and use 'passwd <user>' to change the password.  Your issue could simply be that the master account isn't allowed to change the other account password, or maybe you need to tell it to use elevated privileges when changing the password (eg sudo passwed <user>).

    Once you reproduce the failed password change manually, you should have a lot more information about why PAM is failing.