Password authentication fails for unchallenged users on AIX after changing to SHA256 password hashing when RSA Authentication Agent for PAM is installed
RSA Product Set: SecurID RSA Product/Service Type: Authentication Agent for PAM Platform: IBM AIX
After changing the AIX system-wide password algorithm to SHA256 in /etc/security/login.cfg, all password authentications for unchallenged users fail with an invalid password error.
The RSA Authentication Agent for PAM installed on the AIX operating system supports only the AIX default crypt password hashing algorithm. If the default algorithm is changed, the RSA Authentication Agent for PAM cannot handle password authentications.
To resolve this issue, revert to the default crypt password encryption.
If the password hashing algorithm must be changed, then password authentications must be handed over to the native pam_aix authentication module. That can be achieved by stacking PAM modules. We use SSH as an example, but this process can be applied to any other protected resources, such as sudo, su, etc.).
Now unchallenged users can log in with their password with the new hashing algorithm. However, challenged users have to log in using their RSA passcode followed by their AIX password.
The not_set_pass attribute support was added to RSA Authentication Agent 18.104.22.168 for PAM AIX. Ensure this is the version that is installed for the solution above to work. Find the version number with the following command: