SSH Certificate Authentication fails when user has no email address defined
search cancel

SSH Certificate Authentication fails when user has no email address defined

book

Article ID: 247689

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

We are trying to implement the new SSH Certificate authentication feature in PAM 4.0.3 following instructions on page SSH Certificate Authentication for Accessing UNIX/LINUX Targets, but finds that it fails for many LDAP and smart card users. The common factor is that these users don't have an email address defined in PAM.

There is no useful message shown to the user, or in the session logs, the launched SSH session just disappears after a few seconds.

Environment

Release : 4.0.3

Component : PRIVILEGED ACCESS MANAGEMENT

Cause

The new feature creates certificates using the email address of the user as Identifier. In 4.0.3 this is hardcoded and cannot be configured. If no email address is configured, the attempt to create the certificate will fail with a NullPointer exception. This is visible in the tomcat log only, which can be downloaded and viewed from the Configuration > Diagnostics > Diagnostic Logs > Download page. 

Resolution

For 4.0.3 there is no workaround other than adding email addresses for the affected users. The problem is fixed in 4.0.4 and later releases by using the user ID, if no email address is defined for the user. Note that 4.1.0 is older than 4.0.3 and does not have this feature. The 4.1.1 maintenance release includes the fix already.