000038897 - Password authentication fails for unchallenged users on AIX after changing to SHA256 password hashing when RSA Authentication Agent for PAM is installed

Document created by RSA Customer Support Employee on May 27, 2020Last modified by RSA Customer Support Employee on Jul 7, 2020
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000038897
Applies ToRSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
Platform: IBM AIX
IssueAfter changing the AIX system-wide password algorithm to SHA256 in /etc/security/login.cfg, all password authentications for unchallenged users fail with an invalid password error. 
CauseThe RSA Authentication Agent for PAM installed on the AIX operating system supports only the AIX default crypt password hashing algorithm. If the default algorithm is changed, the RSA Authentication Agent for PAM cannot handle password authentications. 
ResolutionTo resolve this issue, revert to the default crypt password encryption.
WorkaroundIf the password hashing algorithm must be changed, then password authentications must be handed over to the native pam_aix authentication module. That can be achieved by stacking PAM modules. We use SSH as an example, but this process can be applied to any other protected resources, such as sudo, su, etc.).
  1. Make a backup of /etc/sd/pam.conf.
  2. Open /etc/sd/pam.conf in a text editor.
  3. Change the following two settings from 0 to 1:


  1.  Make a backup of /etc/pam.conf.
  2. Open /etc/pam.conf in a text editor.
  3. Edit the authentication modules for your protected service. Using SSH as an example:

sshd auth required pam_securid.so not_set_pass
sshd auth required pam_ai

Now unchallenged users can log in with their password with the new hashing algorithm. However, challenged users have to log in using their RSA passcode followed by their AIX password. 
NotesThe not_set_pass attribute support was added to RSA Authentication Agent for PAM AIX. Ensure this is the version that is installed for the solution above to work. Find the version number with the following command:

strings pam_securid.so | grep "Agent"