In case users are required to connect to a Jump server (in this case a Terminal Server is acting as a Jump server) and then launch CA PAM client and then connect to various devices as per the assigned policies, then users might get pop-up messages as described below.
In CA PAM, PUTTY is configured as TCP/UDP service, in this article Putty is being used as an example, the problem described in here is valid for any TCP/UPD service.
The same PUTTY service is configured for multiple UNIX / Linux devices for users to connect to these devices.
Only the first user connecting to the terminal server is allowed to access all the UNIX / Linux devices.
Subsequent user’s who login to the same terminal server, connect to CA PAM Server, get the following pop-up message.
The First user as well would get the following message, when any subsequent user tries to establish a connection using the PUTTY service for any of the UNIX / Linux devices
This message alerts that First user that other users are as well trying to connect using the same PUTTY service to other devices.
When working in a multi-user environment on a single PC / Terminal Server in the past, other users on the PC / Terminal Server were able to tap into open port and hijack a session on the remote server. This 'Alert' added the confirmation message to stop this and inform users they may be having this happen.
Is this as per design or this is a bug?
How to fix this, so that multiple users using the same PC / Terminal Server can access the same service, in this case PUTTY for connecting to the devices?
This is working as per design, in earlier versions of CA PAM, the Alert message was not available, hence the users were not aware if their session could be hijacked.
Solution is to Modify the Putty service ports and replace 22 with 22:*
Using the Ports:* syntax will generate a new random port every time a user logs in.
LocalPort (Ports) is the local port over which the listener waits for connections on the local user desktop. Enter an * (asterisk) to let CA Privileged Access Manager set the value to any available port, this stops multiple users from ending up with the same port assigned to a service.