Custom password changers

Custom password changers enable defining a set of commands executed on a remote host in case the built-in password changers cannot handle a specific use case scenario.

Note

In cluster configuration, the node responsible for changing passwords on monitored systems is configured in system settings. For more information refer to Password changers - active cluster node topic.

Defining a custom password changer


  1. Click + icon in the main menu next to the Password changers tab, or

Select Management > Password changers. Click Add and then choose New password changer.

Note

Alternatively, you can find and click an existing password changer and click Copy to create a new password changer based on currently opened definition.

../../_images/5-1-copy-pc.png
  1. Define the password changer’s name.
  2. From the Script type drop-down list, select if the script is a password changer or password verifier.
  3. From the Connection mode drop-down list, select the transport layer.
  4. In the Timeout field, define the script’s execution time limit.
../../_images/5-1-add-pc-1.png
  1. In the Commands list section, click . to add a command.
../../_images/5-1-add-pc-2.png

Note

Available commands depend on selected transport layer. For more information on connection modes, refer to the Connection modes topic.

  • INPUT - command executed on target host.
  • EXPECTED - expected result.
  • ENTER
  • DELAY - delay between commands’ execution.
  • DN - directory service DN (Distinguished Name) parameter.
  • FILTER - directory service user filter.

Warning

To configure WinRM password changers, you need to provide user credentials with the authority to change passwords (typically an admin-level account). However, it’s important to avoid using this account to change its own password, as WinRM will return an error that Fudo PAM cannot process. Make sure that the account_login and transport_login variables are set to different values.

  1. Enter the command or define action’s parameters.

Note

You can use pre-defined transport layer or user defined variables in commands. To use or define a variable, enclose it in %% characters (e.g. %%transport_host%%, %%custom_variable%%).

  1. Repeat steps 8-10 to add more commands.
  2. In the Variables section, define variables’ attributes.
../../_images/5-1-add-pc-3.png

Note

Variables can be initiated with values referenced from other objects or they can be assigned a constant value.

  1. Click Save.
  2. Define password change policy and assign the password changer to account.

Note

Example

In this password changer example, the password change is triggered with the passwd command executed with sudo privileges on a host running FreeBSD operating system.

Commands list

  Action Content Comment
1 EXPECTED Password Expected terminal output with a ‘Password’ word in it.
2 INPUT %%transport_secret%% A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.
3 EXPECTED \[newtd_pc@john-laptop.*\] Expected terminal output within given regular expression.
4 INPUT sudo passwd %%account_login%% Change password for account where account_login reflects a login of the user, whose password is being changed.
5 EXPECTED Password Expected terminal output with ‘Password’ word in it.
6 INPUT %%transport_secret%% A value of the transport_secret variable is a secret for authorizing a priveleged account to change the password.
7 EXPECTED Changing local password Expected terminal output with ‘Changing local password’ phrase in it.
8 EXPECTED New Password Expected terminal output with ‘New Password’ phrase in it.
9 INPUT %%account_new_secret%% A value of the account_new_secret variable would be a new password.
10 EXPECTED Retype New Password Expected terminal output with ‘Retype New Password’ phrase in it.
11 INPUT %%account_new_secret%% A value of the account_new_secret variable would be a new password.
12 INPUT echo $?  
13 EXPECTED 0  

Variables

Variable name Object type Object property Encrypt
transport_method constant   fail
transport_bind_to server_property bind_ip fail
transport_user account login fail
transport_host server_address_property host fail
transport_port server_property port fail
transport_secret account secret ok
transport_host_public_key constant   fail
account_login account login fail

Editing a custom password changer

Warning

Modifying a password changer, be aware that new variables will have to be initiated in every account instance that uses the modified password changer. You will be provided with the list of that accounts.


  1. Select Management > Password changers.
  2. Click the name of desired password changer.
  3. Edit selected commands.
  4. Click i to remove selected command.
  5. Click Save.

Deleting a custom password changer


  1. Select Management > Password changers.
  2. Select desired elements and click Delete.
  3. Confirm deleting selected objects.

Related topics: