Sesu command doesn't prompt for password and allow to switch user
search cancel

Sesu command doesn't prompt for password and allow to switch user

book

Article ID: 415979

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC)

Issue/Introduction

We had just upgrade from PAMSC 14.10.40.17 to PAMSC 14.1 CP07 (14.10.70.54). 

OS version is SunOS 5.11 11.4.84.201.1 sun4v sparc sun4v

We discovered that, when running "sesu" utilitiy, it does not prompt for password and allow switch user.  Upon checking, we noticed that the "sewhoami" is showing the "root" user instead of user who logged in. Note the user login using SSH session.

UseInvokerPassword token is set to "yes" in seos.ini

Environment

PAMSC Endpoint 14.1 CP07 on Solaris 11

Cause

There is no LOGINAPPL object with loginpath(/usr/lib/ssh/sshd-session)

Resolution

In addition to the following LOGINAPPL rule,

editres LOGINAPPL ('LIB_SSH') audit(FAILURE) comment('Predefined rule for Login application.') defaccess(EXECUTE) loginflags(PAMLOGIN) loginmethod(NORMAL) loginseq(SGRP SUID) loginpath(/usr/lib/ssh/sshd)

add the following

editres LOGINAPPL ('LIB_SSH_SESSION') audit(FAILURE) comment('SSH SESSION Login application.') defaccess(EXECUTE) loginflags(PAMLOGIN) loginseq(SGRP SEID) loginpath(/usr/lib/ssh/sshd-session)

and authorize the login applications necessarily.

Powered by Wolken Software