PAM-CM-3478 When Using Another Account to Rotate SSH Keys
search cancel

PAM-CM-3478 When Using Another Account to Rotate SSH Keys

book

Article ID: 233970

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

A Unix target account is being configured to manage SSH keys, but the error PAM-CM-3478 occurs when trying to use another account to rotate its keys. When the same account is configured to rotate its own SSH keys, it is successful.

Environment

Privileged Access Manager, all versions

Cause

When another account is used to rotate SSH keys, PAM uses sudo as part of the Linux commands. If the target device is configured to run sudo commands in a pseudo terminal, the commands are being run as a background process in a pseudo terminal. The script processor cannot properly read the output from the terminal and determine if the commands were successful. With Tomcat Log Level set to INFO, the following will be observed in the logs.

Feb 04, 2022 10:51:29 PM com.cloakware.cspm.server.plugin.ScriptProcessorImpl debug
INFO: start executing the default UNIX credentials update script
Feb 04, 2022 10:51:29 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: T4819 - sent data 'sudo -u sshkeyuser sh -c 'echo "ssh-rsa AAAAB3Nza.....MzyPasDhFl" > ~sshkeyuser/.ssh/id_rsa.pub'
'
Feb 04, 2022 10:51:29 PM com.cloakware.cspm.server.plugin.CSPMClientChannel write
INFO: T4819 - sent data 'echo 1577532725454401456-$?--8836686190026563597
'
Feb 04, 2022 10:51:42 PM com.cloakware.cspm.server.security.UserSecurityContextImpl <init>
INFO: Creating UserSecurityContext, using privilege map: true
Feb 04, 2022 10:51:42 PM com.cloakware.cspm.server.app.impl.ViewAccountPasswordNoWorkflowCmd invoke
INFO: ViewAccountPasswordNoWorkflowCmd.invoke, start
Feb 04, 2022 10:51:42 PM com.cloakware.cspm.server.app.impl.ViewAccountPasswordNoWorkflowCmd invoke
INFO: ViewAccountPasswordNoWorkflowCmd.invoke, end:true
Feb 04, 2022 10:51:42 PM com.cloakware.cspm.server.security.UserSecurityContextImpl <init>
INFO: Creating UserSecurityContext, using privilege map: true
Feb 04, 2022 10:51:45 PM com.cloakware.cspm.server.plugin.CSPMClientChannel readUntil
INFO: T4819 - received data 'Last login: Fri Feb  4 22:50:38 2022 from xxxx.mydomain.net
sudo -u sshkeyuser sh -c 'echo "ssh-rsa AAAAB3Nza.....MzyPasDhFl" > ~sshkeyuser/.ssh/id_rsa.pub'
echo 1577532725454401456-$?--8836686190026563597
[pamadmin@xxxx ~]$ sudo -u sshkeyuser sh -c 'echo "ssh-rsa AAAAB3Nza.....MzyPasDhFl" > ~sshkeyuser/. ssh/id_rsa.pub'
echo 1577532725454401456-$?--8836686190026563597
[pamadmin@xxxx ~]$ ' does NOT CONTAIN the case-sensitive string '1577532725454401456-0--8836686190026563597'
Feb 04, 2022 10:51:45 PM com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl executeScript
INFO: stopping script processor

Resolution

The pseudo terminal setting is configured in the sudoers file. On the target device, open sudoers for editing and comment out the use_pty setting as below.

#Defaults use_pty

After updating the sudoers file, attempt to rotate the SSH keys and it will now be successful.

Powered by Wolken Software