PAM r3.1.1.09: Command Filtering allows a blocked command on first attempt

book

Article ID: 101542

calendar_today

Updated On:

Products

CA Privileged Access Manager - Cloakware Password Authority (PA) PAM SAFENET LUNA HSM CA Privileged Access Manager (PAM)

Issue/Introduction

A blacklisted command is not being blocked when it is the first command entered in an ssh session to a Redhat 6.9 target device. This only happens when using the SSH Applet. The command filter works fine when using a TCP/UDP service to launch Putty. There also is no problem using other flavors of UNIX, such as Linux or Solaris.

Cause

This was related to the contents of the banner and motd files being used to display messages to users when they login.The root cause was identified as the last line of one, or both, of these files ending with a <newline> character.  In some tests this would occur if either file ended with such a character.  In other cases it only occurred when both ended with a newline character.

Environment

Observed with PAM 3.1.1. Older releases, and 3.2 GA, may be affected as well.

Resolution

HotFix 3.1.1.23 fixes the problem.

If you don't have the hotfix applied yet, there are a couple of workarounds for this problem:
1.  Edit the banner and motd files, to insure they don't end with a newline character.
2.  Configure user login scripts so that some command would be executed as soon as the user logged in, for example echo "".