PAM Views
PAM Module Views
Users view
In the Users view you can manage the users and assign passwords to them. In this view all users are listed in tabular form. In the table you can set new passwords, lock and unlock single users and view the password state.
The table of this view informs you about the status of the users and other attributes relating to their passwords:
| Select | Checkbox for selection |
|---|---|
| User-ID | String designating the user ID (it may not be empty) |
| Password State | Information on whether or not the user should change his password |
| CHAP Support | User uses a CHAP supported password |
| Locked | -“true” if the user is locked |
| “false” if the user is not locked | |
| Lock Reason | The reason why the user was locked |
| Locked Until | Date until which the user is locked |
| RTC | Number of login retries left. |
| Last Changed | Date and time of the last change |
| Actions | - Sets the password for the user of that row |
| - Locks or unlocks the user of that row |
The search and filter options are described in the kernel administrator manual under “Search“.
Add user
To add a user into the database, click the button “Add user” and enter only one User ID in the text field.
A user, which is available in this view, can also be seen in other views of the SSMS GUI.
Note: When creating new users, only use the supported characters. These are contained in the kernel administrator manual under “Supported Characters”.
Clicking the button opens a window in which you are prompted to enter the name of the user to be added as well as his password. In addition you can set the password state. The UserID and the password are mandatory fields.
Note: If the option “User must change password?” is selected, the user must first change his password before being able to log in.
Remove user
You remove a user and all the data related to the user from the database by selecting the user in the left-most column and by clicking the corresponding button. You can also delete all users at once by selecting “all”.
After selecting the user and clicking the button “Remove User”, an additional window opens, which asks to confirm the deletion:
Lock or unlock users
In order to lock or unlock users, you can select one or more user in the left-most column and by clicking the buttons “Lock User” or “Unlock User”.
Lock or unlock a single user
You lock or unlock a single user in the actions column on the right of the GUI by clicking the lock symbol.
Set password “MUST CHANGE“
You change the password state to ”MUST CHANGE” by selecting one or more users in the left-most column and clicking the corresponding button located above the users’ table.
If the password state has been set to “MUST CHANGE“, the user must change the pre-configured password set by the administrator at log-in before he is able to complete the login.
Note: No additional information about the error messages deriving from certain actions will be described here.
⚠️ If you set a new password for an already locked user, the user will then be activated again in the SSMS. In case the lock status persists, the user must be manually unlocked
Set password
You can set a password for a user by clicking the symbol 
in the Actions column. A password is suggested, which follows the guidelines defined in the PAM Advanced Settings can be changed directly in the window. Moreover, you can define here whether the user has to change the password before he is able to log in. Confirm your settings by clicking “Save Password”.
Reporting view
The reporting view provides an overview of the PAM activities.
In the reporting view you’ll find information about the status of the users, of the passwords and of the actions carried out along with their attributes:
Date | Date and time of the activity |
|---|---|
User-ID | The user of the activity |
Action | The action carried out for the user or for the password. For example: DELETE_USER, LOCK_USER, CHANGE_PASSWORD_STATE, SET_PASSWORD |
Status | Result of the action (is generated by the system) |
Details | Additional information like the reason why the user has been locked |
Advanced-Settings view
This chapter gives you information about the configuration options of the Password Authentication Module. The values given here are default values.
In this view you can change the following configuration parameters:
| Password Min Length | The minimum number of characters of a password. |
|---|---|
| Login Maximum Retries Without Delay | The maximum number of login retries without a waiting time between the retries. Default value is 3. |
| Login Maximum Retries | The maximum number of retries the user has available for a log-in. Default value is 6. |
| Login Retry First Delay | Time period that the user has to wait before he is able to execute the next retry after the first retry with delay. Default value is 60. The waiting time increases after every failed attempt. |
| Regex Pattern | A regular expression pattern, describing the syntactical rules of the password string. It defines the structure of the password, so that it is recognized as a valid password by the PAM module (for example upper or lower case letters, numbers and symbols). |
| Password Generation Pattern | Character set used for password generation defined as simple string. No regular expressions are allowed here. Use \ as escape symbol. If no string is defined, PAM generates a password with the default implementation |
| Use Custom Restriction Class | Option whether user-defined restrictions should be used. For example, the customer can import his java class for password verification. Important Note the following restrictions when importing your own java class: 1.) The class must have the name “com.kobil.ssms.pam.PasswordRestriction” and must implement the interface “com.kobil.ssms.pam.api.PasswordRestriction” 2.) The class must be contained in the file “CustomPasswordRestriction.jar” 3.) The jar file must be contained in the directory <SSMS_HOME>/password_restriction |
| CHAP Compatible Passwords | Setting this checkbox causes that changed passwords are stored in a format compatible to CHAP protocol usage. I.e. SSMS is able to decrypt stored passwords. When setting or changing a password from UI or Management SOAP interface, this option controls the default behavior which can be individually overruled by changing the checkbox in UI or setting required parameter in a SOAP request. When setting or changing via a user protocol, for example for user or administrator initiated password changes in conjunction with SecOVID and RADIUS, this setting controls how the password is stored. This setting cannot be overruled individually. Default off/inactive |
Note: your settings become effective after you confirm them with “Save“.
⚠️ Changes to the Advanced Settings have consequences for already existing passwords, which must then be created again. More precisely, passwords matching the new criteria should be created. If the value of Login Maximum Retries is decreased, this has consequences for retries already attempted