Novell Identity Manager Driver- Linux and UNIX - Fan Out
When password
changes are sent through the fan-out driver to the AIX platform,
the PAM module will sometimes core.
There's a flaw,
apparently in IBM's AIX PAM framework, which affects the password
management part of the PAM stack. If there is any
password management module in /etc/pam.conf on AIX marked as"sufficient", that module returns success to the application
without actually changing the password. If the"sufficient" module is the first module in the password
management part of the stack, no prompts are issued for the old or
new passwords. It appears that AIX PAM framework thinks it is done
after it obtains the initial PAM_SUCCESS return from the "prelim
check" phase of any password module that is marked"sufficient".
Until IBM fixes
this flaw, two things need to be done.
First, install at
least the 3.1.1 version of the Fan-out driver and any post 3.1.1
patches.
Second, the /usr/lib/security/pam_ascauth module included
with this patch recognizes a "no_prelim_check" argument. With the"no_prelim_check" argument, pam_ascauth will skip over its
prelim_check code and execute its password changing code
instead.
As an example,
suppose you desire to code the password section of your AIX
/etc/pam.conf file like this:
OTHER password sufficient
/usr/lib/security/pam_ascauth
OTHER password required /usr/lib/security/pam_aix
On an affected AIX
system (that is, any AIX 5.2 or AIX 5.3 system we know of as of
July 27, 2006) you would need to use the following instead:
OTHER password sufficient
/usr/lib/security/pam_ascauth no_prelim_check
OTHER password required /usr/lib/security/pam_aix
- There is an IBM
APAR designated "IY70101". It's description is:
PUTUSERPWHIST CORE
DUMPS IN 64BIT MODE.
It appears that, at
least in some cases, on some hardware, putuserpwhist core dumps
even when APAR IY70101 is installed. Asamrcvr and
pam_ascauth both use putuserpwhist when UPDATEPASSWORD is specified
in asamplat.conf, and both will core dump on affected AIX
systems.
* To
circumvent the problem when using PAM on affected AIX systems, add
a "no_pwhist" argument, similar to the "no_prelim_check"
argument described above, to pam_ascauth's password line in
/etc/pam.conf.
* To circumvent
the problem when using LAM on affected AIX systems, use the AIX
touch command to create a blank file called nohist in the
user/local/asam directory.
* To circumvent the problem when using asamrcvr on affected
AIX systems, set an environment variable called NOPWHIST to "1",
for example:
bourne style
shell:
NOPWHIST=1
export
NOPWHIST
csh style
shell:
setenv
NOPWHIST 1
If you use the boot time startup script "asamrcvrd" that is
included with the fanout driver, you could set the environment
variable from that script.