AIX cores when passwords are changed through the Fan-out driver

  • 3574053
  • 02-Oct-2007
  • 26-Apr-2012


Novell Identity Manager Driver- Linux and UNIX - Fan Out


When password changes are sent through the fan-out driver to the AIX platform, the PAM module will sometimes core.
There's a flaw, apparently in IBM's AIX PAM framework, which affects the password management part of the PAM stack. If there is any password management module in /etc/pam.conf on AIX marked as"sufficient", that module returns success to the application without actually changing the password. If the"sufficient" module is the first module in the password management part of the stack, no prompts are issued for the old or new passwords. It appears that AIX PAM framework thinks it is done after it obtains the initial PAM_SUCCESS return from the "prelim check" phase of any password module that is marked"sufficient".


Until IBM fixes this flaw, two things need to be done.
First, install at least the 3.1.1 version of the Fan-out driver and any post 3.1.1 patches.
Second, the /usr/lib/security/pam_ascauth module included with this patch recognizes a "no_prelim_check" argument. With the"no_prelim_check" argument, pam_ascauth will skip over its prelim_check code and execute its password changing code instead.

As an example, suppose you desire to code the password section of your AIX /etc/pam.conf file like this:
OTHER password sufficient /usr/lib/security/pam_ascauth
OTHER password required /usr/lib/security/pam_aix

On an affected AIX system (that is, any AIX 5.2 or AIX 5.3 system we know of as of July 27, 2006) you would need to use the following instead:
OTHER password sufficient /usr/lib/security/pam_ascauth no_prelim_check
OTHER password required /usr/lib/security/pam_aix

- There is an IBM APAR designated "IY70101". It's description is:

It appears that, at least in some cases, on some hardware, putuserpwhist core dumps even when APAR IY70101 is installed. Asamrcvr and pam_ascauth both use putuserpwhist when UPDATEPASSWORD is specified in asamplat.conf, and both will core dump on affected AIX systems.

* To circumvent the problem when using PAM on affected AIX systems, add a "no_pwhist" argument, similar to the "no_prelim_check" argument described above, to pam_ascauth's password line in /etc/pam.conf.
* To circumvent the problem when using LAM on affected AIX systems, use the AIX touch command to create a blank file called nohist in the user/local/asam directory.

* To circumvent the problem when using asamrcvr on affected AIX systems, set an environment variable called NOPWHIST to "1", for example:

bourne style shell:


csh style shell:

setenv NOPWHIST 1

If you use the boot time startup script "asamrcvrd" that is included with the fanout driver, you could set the environment variable from that script.