ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SSH Login denied due to duplicate TERMINAL rules


Article ID: 238379


Updated On:


CA Privileged Identity Management Endpoint (PIM)


The following TERMINAL rule has been configured

editres TERMINAL ('') audit(FAILURE) defaccess(NONE) owner('nobody')
authorize TERMINAL ('') access(READ) uid('testuser')

However, when testuser run SSH from to the PIM Endpoint, the login prompt appears but after keying in correct password the connect is closed.

# ssh [email protected]
[email protected]'s password:
Connection to closed by remote host.
Connection to closed.

Notes: is the IP address of PIM Endpoint server

Audit log shows

01 Mar 2022 05:34:34 D LOGIN        testuser               69  2     SSH 

seaudit -t for code 69 shows

69      No Step that allowed access



There is duplicate TERMINAL rule using Fully Qualified Hostname (FQHN), e.g. FQHN of is The following duplicate TERMINAL rule with FQHN exists.

editres TERMINAL ('') audit(FAILURE) defaccess(NONE) owner('nobody')
authorize TERMINAL ('test.broadcom.comr') access(READ) uid('imadmin')

Notice that there is no authorize TERMINAL rule for 'testuser' in above TERMINAL rule.


Release : 12.8.x

Component : CA ControlMinder - Unix


Although the first TERMINAL rule using IP allow testuser to access, but the duplicate TERMINAL rule using FQHN doesn't allow testuser to access.
Due to this duplicate TERMINAL rule PIM has denied login.

You can consolidate the TERMINAL rule into one. You can remove the TERMINAL rule with IP address and add 'testuser' user into TERMINAL rule with FQHN.

AC> auth terminal uid(testuser) access(read)

It doesn't matter whether you are using IP or FQHN as long as OS can resolve it.