Linux target account testuser is configured to have its password rotated and verified through target account pamadmin. The password can be rotated without any issue, but password verification fails. Looking at the Tomcat logs in INFO mode, the following is seen. The su - to testuser does not error, but the verification script still fails.
[[email protected]] $ ' MATCHES the pattern '[#|\$|>]
2023-01-01T13:34:32.453+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data 'su - testuser
'
2023-01-01T13:34:32.953+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data 'su - testuser
Password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|)(\s\S*|):.*?)
2023-01-01T13:34:32.953+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data '<not logged>'
2023-01-01T13:34:33.455+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data '
Last login: Thu Jan 26 08:31:42 EST 2023 on pts/1
[[email protected]] $ ' MATCHES the pattern '[#|\$|>]
2023-01-01T13:34:33.455+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data 'echo 2069632112361492556-$?-7123426353307449221
'
2023-01-01T13:34:48.957+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data 'echo 2069632112361492556-$?-71234263533074 49221
2069632112361492556-1-7123426353307449221
[[email protected]] $ ' does NOT CONTAIN the case-sensitive string '2069632112361492556-0-7123426353307449221'
2023-01-01T13:34:48.960+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl.executeScript stopping script processor
2023-01-01T13:34:49.060+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector.flushChannel ignored data read from channel ''
2023-01-01T13:34:49.160+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T29517 - jsch: Disconnecting from lnxtestserver1.domain.com port 22
2023-01-01T13:34:49.160+0000 INFO [Connect thread lnxtestserver1.domain.com session] com.cloakware.cspm.server.plugin.SSHConnector$1.log T29519 - jsch: Caught an exception, leaving main loop due to Socket closed
2023-01-01T13:34:49.161+0000 WARNING [TP3] com.cloakware.cspm.server.app.impl.VerifyAccountPasswordCmd.invoke **** ACCOUNT VERIFICATION FAILED: targetAccount ID: 10001' due to 'Error Code: 5996
Error Details: null
Error Message: Failed to verify the account credentials. Review the log file for further information or else contact your Administrator.
Exception: com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2069632112361492556-0-7123426353307449221
Stack Trace: com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2069632112361492556-0-7123426353307449221
at com.cloakware.cspm.server.plugin.EnhancedCSPMClientChannel.readUntil(EnhancedCSPMClientChannel.java:233)
at com.cloakware.cspm.server.plugin.EnhancedCSPMClientChannel.readUntil(EnhancedCSPMClientChannel.java:255)
at sun.reflect.GeneratedMethodAccessor1142.invoke(Unknown Source)
at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
Privileged Access Manager, all versions
The logs show that after the su to testuser, the terminal still showed pamadmin as logged in. Additionally, the echo $? command returned a 1 rather than 0. This is why the verification fails.
Testing outside of PAM showed the same behavior. When the command `grep testuser /etc/passwd` was run, it showed the user's shell was /bin/false.
If a user's shell is /bin/false, it means the user is unable to login. PAM uses either a login attempt or the su command to verify a target account's password, so they must have a valid shell.