ALERT: Some images may not load properly within the Knowledge Base Article. If you see a broken image, please right-click and select 'Open image in a new tab'. We apologize for this inconvenience.

SSH Login denied due to duplicate TERMINAL rules

book

Article ID: 238379

calendar_today

Updated On:

Products

CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

The following TERMINAL rule has been configured

editres TERMINAL ('10.10.10.10') audit(FAILURE) defaccess(NONE) owner('nobody')
authorize TERMINAL ('10.10.10.10') access(READ) uid('testuser')

However, when testuser run SSH from 10.10.10.10 to the PIM Endpoint, the login prompt appears but after keying in correct password the connect is closed.

# ssh [email protected]
[email protected]'s password:
Connection to 10.10.10.15 closed by remote host.
Connection to 10.10.10.15 closed.

Notes: 10.10.10.15 is the IP address of PIM Endpoint server

Audit log shows

01 Mar 2022 05:34:34 D LOGIN        testuser               69  2 test.broadcom.com     SSH 

seaudit -t for code 69 shows

69      No Step that allowed access

 

Cause

There is duplicate TERMINAL rule using Fully Qualified Hostname (FQHN), e.g. FQHN of 10.10.10.10 is test.broadcom.com. The following duplicate TERMINAL rule with FQHN exists.

editres TERMINAL ('test.broadcom.com') audit(FAILURE) defaccess(NONE) owner('nobody')
authorize TERMINAL ('test.broadcom.comr') access(READ) uid('imadmin')

Notice that there is no authorize TERMINAL rule for 'testuser' in above TERMINAL rule.

Environment

Release : 12.8.x

Component : CA ControlMinder - Unix

Resolution

Although the first TERMINAL rule using IP allow testuser to access, but the duplicate TERMINAL rule using FQHN doesn't allow testuser to access.
Due to this duplicate TERMINAL rule PIM has denied login.

You can consolidate the TERMINAL rule into one. You can remove the TERMINAL rule with IP address and add 'testuser' user into TERMINAL rule with FQHN.

AC> auth terminal test.broadcom.com uid(testuser) access(read)

It doesn't matter whether you are using IP or FQHN as long as OS can resolve it.