SSH connection fails from PAM to targets after patching OS
book
Article ID: 126409
calendar_today
Updated On:
Products
CA Privileged Access Manager - Cloakware Password Authority (PA)PAM SAFENET LUNA HSMCA Privileged Access Manager (PAM)
Issue/Introduction
After applying the latest quarterly Oracle patch set to a cluster environment of six target servers, users can no longer connect to three of six servers using SSH auto-login.
The quarterly patch had updated the version of openssh, so this was suspect.
Cause
Root cause: The password history for the accounts used for auto-connect showed that the EXPPWD process had updated the password during the maintenance window of the OS being patched.
The change in openssh versions had nothing to do with the problem.
The TargetAccountExpiredPassword process will not change the password when there is a failure to connect to the target.
The method followed to shut down the targets and patch them and return them left a window of opportunity where the target systems were connected during the time that the passwords required updating.
Environment
PAM 3.2.3 Target servers are Oracle Solaris 11g database servers
Resolution
Retrieved the new password from PAM and updated the problem accounts on the target system.
Additional Information
Best Practices:
When target systems will be removed for patching, suspend account updates to those targets. 1. Check that no scheduled jobs will be running during the patching window. 2. Under Settings - Credential Manager - General Settings, uncheck the box for 'Automatically Update Expired Passwords'
The TargetAccountExpiredPassword process runs every 12 hours and will catch the accounts and update them when the setting is enabled again.