Restrict the Password check-in when an SSH session for a particular account is already in active

book

Article ID: 222393

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are currently working on a client project wherein we are providing the Password check-out / view feature for the users to check-out the password for privileged accounts. The user can then use the password to log on to the target server node via the puTTY to launch the SSH session from their local machines.

We want to restrict the user to check-in the password till the SSH session is valid. Is there any feature or customization that can be done from PAM wherein PAM can check for active session and  restrict user i.e. that it won't allow the user to check-in back the password if the SSH is active

Cause

PAM does not have any method to monitor the current user activities on a machine when accessed outside of PAM's Client.

Environment

Release : 3.x, 4.x

 

Resolution

The feature you would want to use is "Exclusive Check-out On Auto Connect" but this must be used with autoconnect. You can configure to use with applications through TCP/UDP services but if the password is viewed and used outside of PAM then PAM cannot know the status.