Linux target account <TargetUser> is configured to have its password rotated and verified through target account <PWUpdater>. The password can be rotated without any issue, but password verification fails. Looking at the Tomcat logs in INFO mode, the following is seen. The su - to <TargetUser> does not error, but the verification script still fails.

[<PWUpdater>@<TargetServer>] $ ' MATCHES the pattern '[#|\$|>]
2023-01-01T13:34:32.453+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data 'su - <TargetUser>
'
2023-01-01T13:34:32.953+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data 'su - <TargetUser>
Password: ' MATCHES the pattern '(?si)(.*?password(\sfor|\sagain|)(\s\S*|):.*?)
2023-01-01T13:34:32.953+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data '<not logged>'
2023-01-01T13:34:33.455+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data '
Last login: Thu Jan 26 08:31:42 EST 2023 on pts/1
[<PWUpdater>@<TargetServer>] $ ' MATCHES the pattern '[#|\$|>]
2023-01-01T13:34:33.455+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.write T29517 - sent data 'echo 2069632112361492556-$?-7123426353307449221
'
2023-01-01T13:34:48.957+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.CSPMClientChannel.readUntil T29517 - received data 'echo 2069632112361492556-$?-71234263533074 49221
2069632112361492556-1-7123426353307449221
[<PWUpdater>@<TargetServer>] $ ' does NOT CONTAIN the case-sensitive string '2069632112361492556-0-7123426353307449221'
2023-01-01T13:34:48.960+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.BeanShellScriptProcessorImpl.executeScript stopping script processor
2023-01-01T13:34:49.060+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector.flushChannel ignored data read from channel ''
2023-01-01T13:34:49.160+0000 INFO [com.cloakware.cspm.server.plugin.targetmanager.UnixAdvancedTargetManager] com.cloakware.cspm.server.plugin.SSHConnector$1.log T29517 - jsch: Disconnecting from <TargetServer>.domain.com port 22
2023-01-01T13:34:49.160+0000 INFO [Connect thread <TargetServer>.domain.com session] com.cloakware.cspm.server.plugin.SSHConnector$1.log T29519 - jsch: Caught an exception, leaving main loop due to Socket closed
2023-01-01T13:34:49.161+0000 WARNING [TP3] com.cloakware.cspm.server.app.impl.VerifyAccountPasswordCmd.invoke **** ACCOUNT VERIFICATION FAILED: targetAccount ID: XXXXX' due to 'Error Code: 5996
Error Details: null
Error Message: Failed to verify the account credentials.  Review the log file for further information or else contact your Administrator.
Exception: com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2069632112361492556-0-7123426353307449221
Stack Trace: com.cloakware.cspm.server.plugin.ClientChannelTimeoutException: PAM-CM-1336: Failed to find case-sensitive patterns while reading from the communications channel: 2069632112361492556-0-7123426353307449221
    at com.cloakware.cspm.server.plugin.EnhancedCSPMClientChannel.readUntil(EnhancedCSPMClientChannel.java:233)
    at com.cloakware.cspm.server.plugin.EnhancedCSPMClientChannel.readUntil(EnhancedCSPMClientChannel.java:255)
    at sun.reflect.GeneratedMethodAccessor1142.invoke(Unknown Source)
    at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)

Privileged Access Manager, all versions

The logs show that after the su to <TargetUser>, the terminal still showed <PWUpdater> as logged in. Additionally, the echo $? command returned a 1 rather than 0. This is why the verification fails.

Testing outside of PAM showed the same behavior. When the command `grep testuser /etc/passwd` was run, it showed the user's shell was /bin/false.

If a user's shell is /bin/false, it means the user is unable to login. PAM uses either a login attempt or the su command to verify a target account's password, so they must have a valid shell.