We are trying to implement the new SSH Certificate authentication feature in PAM 4.0.3 following instructions on page SSH Certificate Authentication for Accessing UNIX/LINUX Targets, but finds that it fails for many LDAP and smart card users. The common factor is that these users don't have an email address defined in PAM.

There is no useful message shown to the user, or in the session logs, the launched SSH session just disappears after a few seconds.

Release : 4.0.3

Component : PRIVILEGED ACCESS MANAGEMENT

The new feature creates certificates using the email address of the user as Identifier. In 4.0.3 this is hardcoded and cannot be configured. If no email address is configured, the attempt to create the certificate will fail with a NullPointer exception. This is visible in the tomcat log only, which can be downloaded and viewed from the Configuration > Diagnostics > Diagnostic Logs > Download page. 

For 4.0.3 there is no workaround other than adding email addresses for the affected users. The problem is fixed in 4.0.4 and later releases by using the user ID, if no email address is defined for the user. Note that 4.1.0 is older than 4.0.3 and does not have this feature. The 4.1.1 maintenance release includes the fix already.