PAM-CMN-0467 When Using API to Create Unix Account With SSH Key
search cancel

PAM-CMN-0467 When Using API to Create Unix Account With SSH Key

book

Article ID: 274673

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

The PAM API is used to create target accounts, but the following error occurs when trying to create a Unix target account with an SSH key.

{
  "error": {
    "code": 400,
    "message": "Bad Request: PAM-CMN-0467: A Password Authority problem prevented completing the request. Message: No response from Password Authority. Check log for details."
  }
}

This is the API body used to create the account.

{
    "accountName":"sshkeyaccount",
    "aliasNames":null,
    "attributes":{
        "protocol": "SSH2_PUBLIC_KEY_AUTH",
        "verifyThroughOtherAccount": "false",
        "extensionType": "unixII",
        "passphrase": "<passphrase>",
        "keyoptions": null,
        "publicKey":"<base64pubkey>",
        "privateKey": "<base64privkey>",
        "useOtherAccountToChangePassword":"false",
         "otherAccount":null
                    },
    "cacheBehavior":"useCacheFirst",
    "cacheDuration":"30",
    "description1":"LINUX",
    "description2":null,
    "password":"<base64privkey>",
    "passwordViewPolicyId":null,
    "privileged":"t",
    "synchronize":"f",
    "useAliasNameParameter":null,
    "passwordIsBase64Encoded":"t"
}

Environment

Privileged Access Manager, all versions

Cause

In order to pass the SSH public and private keys using the API, the keys must first be base64 encoded. In this case, the following commands were used in Powershell to encode the SSH keys with Unicode encoding. As a result, there were null characters when PAM decoded the SSH keys, causing the function to break.

$Text = ‘public/private SSH key text’
$Bytes = [System.Text.Encoding]::Unicode.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText 

Resolution

For best results, it is advised to use openssl to encode the SSH keys. If openssl is unavailable in the environment, use the following Powershell commands to encode the SSH keys using UTF8 encoding.

$Text = ‘public/private SSH key text’
$Bytes = [System.Text.Encoding]::UTF8.GetBytes($Text)
$EncodedText =[Convert]::ToBase64String($Bytes)
$EncodedText

Additional Information

For information about all options which could be used in the API for SSH key accounts, please refer to the following KB article.

https://knowledge.broadcom.com/external/article?articleId=190503 

Powered by Wolken Software