Skip to main content

Hello everyone,

We're experiencing a situation in our environment where PSafe appears to be failing to execute or executing pwdadm commands incorrectly on AIX servers.

At the beginning of the operation, we noticed that all credentials for which PSafe rotated the password were prompted by the user for a new password change.
This is due to AIX adding the ADMCHG flag to the credential after the password is rotated.
To avoid this, the original password rotation workflow included the command pwdadm -f NOCHECK <<ManAcctName>>.
Even with this command in the workflow, the credential remained with ADMCHG and the NOCHECK flag was not added.

So, we changed the command to pwdadm -c <<ManAcctName>> and added two more consecutive executions.

After this change, the password rotations no longer prompted the user to change the password at the next login, and the ADMCHG flag was removed.

However, an AIX server in our environment doesn't log the execution of pwdadm -c even after three consecutive runs.
We enabled audit mode on this server, and only the execution of the passwd command is recorded in the log.

I ran the password change using Check Password Results in Configurations > Privileged Access Management > Custom Platforms > Check/Change Password, and there I can see all of PSafe's interactions with the server.
The command executes, and PSafe considers it successful, but in the three runs of pwdadm -c, it appears to send the command without waiting for the prompt.
And with this behavior, the server ignores and doesn't log the command execution.

Has anyone else with AIX servers experienced similar behavior?
Is there anything that can be done in the Change Password workflow to prevent this from happening without waiting for the prompt? Our workflow is configured to wait for a response each time a command is executed, such as a PROMPT or a request for a new password, and the problem is only occurring when executing pwdadm.

 

Thanks,

Rudolf.

Hello ​@rgkessel 

If you login to Password Safe and go to Configuration | Global Settings there is an option in the Miscellaneous section to enable Rebex debug logging. 

If you enable that for a few tests it will show more detail in the BeyondInsight.PasswordServices2025xxxx Log. In the support pack or broker logs for cloud.

Here is a sample of what it looks like. Potentially you will see it matching on something un expected.

 

I recommend disabling the Rebex logging once you are reproduced your issue. 

Thank you ​@jchandler for your tip.

This week I contacted the support team, who also couldn't find anything to explain this behavior.
As a final attempt, we added another run of pwdadm -c to the script, totaling 4 runs.
After this adjustment, the only server that experienced this behavior began clearing the ADMCHG flag.
Apparently, this server is ignoring the 3 runs and only recognizing the fourth attempt.
I don't know if the script is sending a character with the command that AIX doesn't recognize, causing it to simply ignore it.

I'll enable Rebex and see if I can find anything when executing a password change.

I'll report back if I find anything or not :D

Thanks again.
Rudolf.

Hi ​@jchandler,

 

Used Rebex and below is the log:

 

SSHExecutor: ConnectToHost: Successfully authenticated to host
Expect: found '' matching '(-->|$)'
Expect: responded with 'sudo passwd credential'
Expect: found 'New password:' matching 'nNn]ew .*wPp]assword(.*)(:]'
Expect: responded with '*****'
Expect: found 'new password again:' matching 'nNn]ew .*wPp]assword(.*)(:]'
Expect: responded with '*****'
Expect: found '' matching '(-->|$)'
Expect: responded with 'sudo /usr/bin/pwdadm -c credential'
Expect: found '-->' matching '(-->|$)'
Expect: responded with 'sudo /usr/bin/pwdadm -c credential'
Expect: found '-->' matching '(-->|$)'
Expect: responded with 'sudo /usr/bin/pwdadm -c credential'
Expect: found '' matching '(-->|$)'
Expect: responded with 'sudo /usr/bin/pwdadm -c credential'
Expect: found '' matching '(-->|$)'
Expect: responded with 'exit'

 

We have some lines where Expect only register '', and others where it register '-->'.

I don't know if this impacts command execution.
But when expect register '-->' the commands were not executed correctly.

But the first run of pwdadm -c displays '', and the command isn't recognized by the server.
Only on the fourth run is it recognized, and the ADMCHG flag is removed.

 

I've already reported this behavior to support and our AIX team to see if we can find anything.

 

Thanks again for the tip about the Rebex feature.

 

Rudolf.

Reply


Badge Earners

  • BCA: Remote Support
    CodeEternalhas earned the badge BCA: Remote Support
  • BCIE: Privileged Remote Access
    Mudupurihas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    Zubairhas earned the badge BCA: Endpoint Privilege Management - Windows
  • BCIE: Privileged Remote Access
    kcooperhas earned the badge BCIE: Privileged Remote Access
  • BCA: Endpoint Privilege Management - Windows
    30-B-Lohas earned the badge BCA: Endpoint Privilege Management - Windows
Show all badges
Terms & ConditionsCookie settings