Issue rotating SSH Key
Article ID: 245668
Updated On:
Products
CA Privileged Access Manager (PAM)
Issue/Introduction
SSH key to rotate password, ESXi credential script to manage Keys on SSH
Environment
Release : 4.0
Component : PAM 4.0.2
Cause
We switched SSH key to rotate its own credentials, it fails with Case sensitive error message.
2022-07-07T12:19:38.983+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.ScriptProcessorImpl.debug start executing the default UNIX credentials update script
2022-07-07T12:19:39.042+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T14094 - sent data 'echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0N1KfVE0NTNUXbGVN3a9Gf9cm3JeeSFqaSuwc2I4l0sjXuoGhnXpZcheHOvBASW7qNqBURbW8Cnu5h78XGD4n7SvzULVmn/pMXr5P7GcMTO4jMrjZw4YrH/i9mLCa0XPQQ2GdfcyBpAiuEOb+igCHo/l7yFkNg8yChh5b5MPbeBhLDVhL+bzfINC5Q/A+izdvPUVHH2JN"\
"qbjz/u9P7zvSU2M5yvfubQVkZbkhANU/X76UHc6OuCTDUrbkytrqXkEC8/zzQFS1uulwl4S29/YCXdC+X+enXCnGEmfSp/TmTQaS8vCHIykHNJKWED0JOjE9esIlpxB98bXzIqvp4Msp" > ~root/.ssh/id_rsa.pub
'
2022-07-07T12:19:39.045+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T14094 - sent data 'echo 2304849111639304952-$?-2736158474462623913
'
2022-07-07T12:19:54.549+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T14094 - received data '<not logged>'
2022-07-07T12:19:54.557+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl.executeScript stopping script processor
2022-07-07T12:19:54.658+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector.flushChannel ignored data read from channel ''
2022-07-07T12:19:54.758+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T14094 - jsch: Disconnecting from czchoesint194.prg-dc.dhl.com port 22
2022-07-07T12:19:54.759+0000 INFO [Connect thread czchoesint194.prg-dc.dhl.com session] com.cloakware.cspm.server.plugin.SSHConnector$1.log T14098 - jsch: Caught an exception, leaving main loop due to Socket closed
2022-07-07T12:19:54.771+0000 SEVERE [TP2] com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd.invoke UpdateTargetAccountCmd.invoke 5995: Failed to update the account credentials. Review the log file for further information or else contact your Administrator.
com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2304849111639304952-0-2736158474462623913
2022-07-07T12:19:39.042+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T14094 - sent data 'echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC0N1KfVE0NTNUXbGVN3a9Gf9cm3JeeSFqaSuwc2I4l0sjXuoGhnXpZcheHOvBASW7qNqBURbW8Cnu5h78XGD4n7SvzULVmn/pMXr5P7GcMTO4jMrjZw4YrH/i9mLCa0XPQQ2GdfcyBpAiuEOb+igCHo/l7yFkNg8yChh5b5MPbeBhLDVhL+bzfINC5Q/A+izdvPUVHH2JN"\
"qbjz/u9P7zvSU2M5yvfubQVkZbkhANU/X76UHc6OuCTDUrbkytrqXkEC8/zzQFS1uulwl4S29/YCXdC+X+enXCnGEmfSp/TmTQaS8vCHIykHNJKWED0JOjE9esIlpxB98bXzIqvp4Msp" > ~root/.ssh/id_rsa.pub
'
2022-07-07T12:19:39.045+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T14094 - sent data 'echo 2304849111639304952-$?-2736158474462623913
'
2022-07-07T12:19:54.549+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T14094 - received data '<not logged>'
2022-07-07T12:19:54.557+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl.executeScript stopping script processor
2022-07-07T12:19:54.658+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector.flushChannel ignored data read from channel ''
2022-07-07T12:19:54.758+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T14094 - jsch: Disconnecting from czchoesint194.prg-dc.dhl.com port 22
2022-07-07T12:19:54.759+0000 INFO [Connect thread czchoesint194.prg-dc.dhl.com session] com.cloakware.cspm.server.plugin.SSHConnector$1.log T14098 - jsch: Caught an exception, leaving main loop due to Socket closed
2022-07-07T12:19:54.771+0000 SEVERE [TP2] com.cloakware.cspm.server.app.impl.UpdateTargetAccountCmd.invoke UpdateTargetAccountCmd.invoke 5995: Failed to update the account credentials. Review the log file for further information or else contact your Administrator.
com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2304849111639304952-0-2736158474462623913
Resolution
we modified the part of using sudo in the Keys rotation:
// ***************************************************************************
// Use another account's credentials to update the keys.
// ***************************************************************************
sendCommand( updatePublicKeyCommand );
sendCommand( createAuthorizedKeysBackupFileCommand );
if ( ( oldPublicKey != null ) && !oldPublicKey.isEmpty() ) {
sendCommand( deauthorizedOldPublicKeyCommand, false );
sendCommand( replaceAuthorizedKeysFileCommand );
}
sendCommand( updateAuthorizedKeysCommand );
sendCommand( resetPublicKeyPermissionsCommand );
sendCommand( resetAuthorizedKeysPermissionsCommand ); sendCommand( resetAuthorizedKeysBackupPermissionsCommand );Now the rotation using root password account works fine to rotate root ssh-keys, so we can fulfill the ESXi use case without need for 2nd local account.
Attached the updated ESXi credential script to manage Keys on SSH
Attachments
Feedback
Yes
No
Powered by
