Article Number
000038897
Applies To
RSA Product Set: SecurID
RSA Product/Service Type: Authentication Agent for PAM
Platform: IBM AIX
Issue
After changing the AIX system-wide password algorithm to SHA256 in /etc/security/login.cfg, all password authentications for unchallenged users fail with an invalid password error.
Cause
The RSA Authentication Agent for PAM installed on the AIX operating system supports only the AIX default crypt password hashing algorithm. If the default algorithm is changed, the RSA Authentication Agent for PAM cannot handle password authentications.
Resolution
To resolve this issue, revert to the default crypt password encryption.
Workaround
If the password hashing algorithm must be changed, then password authentications must be handed over to the native pam_aix authentication module. That can be achieved by stacking PAM modules. We use SSH as an example, but this process can be applied to any other protected resources, such as sudo, su, etc.).
- Make a backup of /etc/sd/pam.conf.
- Open /etc/sd/pam.conf in a text editor.
- Change the following two settings from 0 to 1:
PAM_IGNORE_SUPPORT_FOR_USERS=1
PAM_IGNORE_SUPPORT=1
- Make a backup of /etc/pam.conf.
- Open /etc/pam.conf in a text editor.
- Edit the authentication modules for your protected service. Using SSH as an example:
sshd auth required pam_securid.so not_set_pass
sshd auth required pam_aix
Now unchallenged users can log in with their password with the new hashing algorithm. However, challenged users have to log in using their RSA passcode followed by their AIX password.
Notes
The not_set_pass attribute support was added to RSA Authentication Agent 8.0.0.198 for PAM AIX. Ensure this is the version that is installed for the solution above to work. Find the version number with the following command:
strings pam_securid.so | grep "Agent"
