Terminal Freezes and Unexpected "41" Character During PostgreSQL Connection via PAM 4.2.2 Command FilterDescription
search cancel

Terminal Freezes and Unexpected "41" Character During PostgreSQL Connection via PAM 4.2.2 Command FilterDescription

book

Article ID: 423907

calendar_today

Updated On:

Products

CA Privileged Access Manager (PAM)

Issue/Introduction

Users connecting to a PostgreSQL database via a Privileged Access Manager (PAM) SSH session may experience terminal freezing and the insertion of an unexpected "41" character at the password prompt after upgrading PAM to version 4.2.2. This behavior occurs when a Command Filter Policy is active on the affected connection, even if the matching command is set to "Alert" and not "Block."

The specific issue manifests as:
- An unexpected "41" character appended to the password prompt.
- Authentication failure upon entering the password.
- The terminal becoming unresponsive (freezing), requiring multiple Ctrl+C attempts or a forced close.
- A PAM-CMN-2165: Unauthorized word [command] typed alert is logged for the filtered command (e.g., psql)

Environment

Product: Privileged Access Manager (PAM)
Affected Version(s): PAM 4.2.2 (Issue is NOT present in 4.1.5 or 4.1.6)
Operating System(s): Linux RedHat 9.5 (Client and Database Host)
Other Components: PostgreSQL (e.g., version 17.5), SSH, PAM Command Filter Policy (configured for Alert and Regex for commands like psql), OS Locale set to es_MX.UTF-8.

Cause

This issue is caused by a product defect that was introduced between PAM versions 4.1.6 and 4.2.2, specifically impacting how the SSH proxy handles terminal behavior and command filtering when a non-default locale (e.g., es_MX.UTF-8) is in use.

Resolution

The permanent fix for this issue was resolved and delivered in a later version of the product.
Permanent Fix: Upgrade to PAM Version 4.2.4 or higher.
The resolution for this issue is documented in the release information:
Resolved Issue: Command Filter Policy causes terminal to hang, rendering the session unresponsive.
Reference Link: PAM 4.2.4 Resolved Issues

Additional Information

Workaround

While awaiting an upgrade to PAM 4.2.4, a temporary workaround can be applied to alleviate the connection issue:
Enable a debug logging level in the SSH proxy configuration on one cluster member.
This can be done contacting Broadcom Support.
SSH DEBUG patch and Support Engineering taking control of remote session to change a file will enable this debug.


Powered by Wolken Software