"Require login password" sample script ignores authentication failure / incorrect password

  • 7017960
  • 17-Aug-2016
  • 15-Sep-2016

Environment

NetIQ Privileged Account Manager 3.0
NetIQ Privileged Account Manager 3.0.1
NetIQ Privileged Account Manager 3.1

Situation

Sample Script: "Require login password" ignores authentication failure / incorrect password
User enters the wrong password, authentication fails, yet the command runs successfully.
Failed authentication still successfully executes requested command, ignoring condition.
usrun su - works even with incorrect password

Resolution

This has been addressed in the release of Privileged Account Manager 3.1.0.1 (3.1 HF1).

Please see the following from the relevant Release Notes:
Section 1.4, The Require Login Password Sample Script Skips User Authentication

Cause

The "Require login password" Sample Script is imported incorrectly, ignoring "Conditional Script"

Status

Reported to Engineering

Additional Information

Here is an example of what may happen in a terminal session without "Conditional Script" checked:

user1@agente:~> usrun yast
Please enter your login password:
Password authentication successful


bash: yast: command not found
user1@agente:~> usrun yast
Please enter your login password:
Password authentication failure, unable to perform operation.

Reason: Password incorrect

bash: yast: command not found
user1@agente:~> usrun yast



The following is the previously accepted workaround prior to the officially released fix:

Workaround
: Configure the script to be a Conditional Script.

  1. Edit the "Require login password" script.
    Note: For more details, please refer to Modifying a Script.
  2. Check the "Conditional Script" box.
  3. Click Finish.