Symantec Privileged Access Management

  • Private Community

  • 1.  View password not verified

    Posted Nov 05, 2018 11:18 AM

    Hi

     

    We have a policy that enables users to see account password for some linux servers.

    But, if the server have some kind of problem that makes it unreachable from PAM (for example, network connectivity) , password account becomes unverified and the user can't see it.

     

    This is unpractical if he needs to login on the console to do some king of troubleshoot.

     

    Is there a way for a user to view a password of unverified accounts ?
    Probably some of you have this same problem...

     

     

    Thanks

    Best regards



  • 2.  Re: View password not verified
    Best Answer

    Broadcom Employee
    Posted Nov 05, 2018 12:31 PM

    Contratos,

     

    CAPAM is working as designed. If the account is not verified, then there is no way to guarantee that the password being used is the password for that server.  The user would login anyway and get a bad password error without knowing what was the true problem.

     

    I hope this helps.



  • 3.  Re: View password not verified

    Posted Nov 06, 2018 06:09 AM

    Ok, I understand.

    But , in some situations , I know that the unverified password is correct.

    Suppose one of your server have a panic error and is asking for root account to boot in single-user. In that situation (change on view password, check-in/check-out), the password may became unverified and the last password is the correct one because PAM wasn't able to change it. Is this right ?

     

    In this use case, it makes sense to our team on the field have access to that password.

    Thanks



  • 4.  Re: View password not verified

    Broadcom Employee
    Posted Nov 06, 2018 09:13 AM

    Hi Contratos, How would PAM know that this is a situation where the password in fact is still correct? The PAM user can contact a PAM admin who can check on the password. If the device is back online and the password verifies ok, the account will go back into verify and can be used again. Also, you can run regular verify jobs against target accounts. This way the account may go back to verified before someone needs to use it. You can do this selectively for accounts that are in an unverified state.



  • 5.  Re: View password not verified

    Posted Nov 06, 2018 09:43 AM

    Hi Ralf

    I agree that, in this situation, PAM can't know that password is still correct.

    But it can give that feedback to the user by alerting to the fact that it's unverified. At the same time, allowing the user to view the password if he wants (with the necessary audit/accountability). Just like PAM admin would do.

    Thanks